SBOMs Are Not Enough

A presentation at JCON 2025 in May 2025 in Cologne, Germany by Brian Demers

Slide 1

Slide 1

SBOMs Are Not Enough Bridging the Gaps in Software Supply Chain Security Brian Demers Developer Advocate bdemers

Slide 2

Slide 2

Topics • What is an SBOM • How SBOMs are created • Problems • Solutions • Future bdemers

Slide 3

Slide 3

Who is this guy? bdemers

Slide 4

Slide 4

source: Silicon Valley bdemers

Slide 5

Slide 5

VS bdemers

Slide 6

Slide 6

VS bdemers

Slide 7

Slide 7

Developer Productivity Engineering bdemers

Slide 8

Slide 8

The Software Supply Chain Challenge Complex. bdemers

Slide 9

Slide 9

Something Something Security… Governance, Risk Management, and Compliance (GRC) bdemers

Slide 10

Slide 10

Pancakes! • Recipe • Ingredients • Instructions

Slide 11

Slide 11

Enter the SBOM • bdemers List of Dependencies • Version • Name • License • Other metadata

Slide 12

Slide 12

Dependencies - pom.xml … … bdemers <dependencies> <dependency> <groupId>dev.diceroll</groupId> <artifactId>dice-parser</artifactId> <version>0.3.0</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> </dependencies>

Slide 13

Slide 13

bdemers

Slide 14

Slide 14

xkcd.com/927

Slide 15

Slide 15

SBOM Entry (Example) { “type” : “library”, “bom-ref” : “pkg:maven/org.testng/testng@7.5.1?type=jar”, “purl” : “pkg:maven/org.testng/testng@7.5.1?type=jar”, “group” : “org.testng”, “name” : “testng”, “version” : “7.5.1”, “description” : “Testing framework for Java”, “scope” : “required”, “hashes” : [ { “alg” : “SHA-256”, “content” : “a5ac92d2362ccb3a509abe68e385ca809a7c96fcbaf851b3ee8bacb2ac899e2f” }, { “alg” : “SHA-512”, “content” : “0bdf858bd678e0887709cc2598f8857b4b86184af7a7dbb3cd20bb6b39c20587ea135fa3bbe645d9d863df78ed4cd67637edd248ed6c454db…” } ], “licenses” : [ { “license” : { “id” : “Apache-2.0” } } ], “externalReferences” : [ { “type” : “website”, “url” : “https://testng.org” }, { “type” : “issue-tracker”, “url” : “https://github.com/cbeust/testng/issues” }, { “type” : “vcs”, “url” : “https://github.com/cbeust/testng.git” } ] }, bdemers

Slide 16

Slide 16

Quick Demo bdemers

Slide 17

Slide 17

SBOMs from Container Images bdemers

Slide 18

Slide 18

Accuracy Issues with Scanning bdemers

Slide 19

Slide 19

Limited View: Runtime Dependencies • No tool chain data • Might not support your packages • TODO bdemers

Slide 20

Slide 20

Build-Time == Accuracy • Has context about build • Dependency scopes (runtime, compile, test, etc) • Annotation processors • Know where artifacts came from • If they were transformed bdemers

Slide 21

Slide 21

Inventory • What to do with SBOMs? • What do you do when there is an issue?

Slide 22

Slide 22

Frozen Pancakes? • Who is buying these? • How were they made?

Slide 23

Slide 23

Batch / Lot Codes bdemers

Slide 24

Slide 24

Are SBOMs Enough? NO! bdemers

Slide 25

Slide 25

Missing Context: How Was It Built? bdemers

Slide 26

Slide 26

Beyond Runtime: The Importance of the Build • Origin of dependencies? • What compiler? • CI plugins? • CI Host / Agent info • bdemers

Slide 27

Slide 27

XZ Utils Vulnerability bdemers

Slide 28

Slide 28

Lessons from XZ Utils • Treat your toolchain like production • Single committer projects are high risk • Attackers will target weakest points in the supply chain bdemers

Slide 29

Slide 29

SpotBugs Key Leak • spotbugs/spotobugs • reviewdog/action-setup • tj-actions/eslint-changed-files • Users of tj-actions/eslint-changed-files bdemers

Slide 30

Slide 30

Lessions Learned • Security is hard! • Toolchains are complex • A list of runtime dependencies is not enough • Pin GitHub actions to SHA bdemers

Slide 31

Slide 31

SBOMs and what else? bdemers

Slide 32

Slide 32

Provenance prov·e·nance (noun) 1: Origin, Source 2: the history of ownership of a valued object or work of art or literature bdemers

Slide 33

Slide 33

SLSA: Securing the Entire Supply Chain Level Description Example 1 Documentation of the build process Unsigned provenance 2 Tamper resistance of the build service Hosted source/build, signed provenance 3 Extra resistance to speci c threats Security controls on host, non-falsi able provenance 4 Highest levels of con dence and trust Two-party review + hermetic builds fi fi fi bdemers

Slide 34

Slide 34

Veri able Truth: in-toto Attestations g n i ign S e l p im e S p o d l a e v n De E , e l r , a e J g a m i I OC etc d e od c n E 4 6 e N s a O B JS a m he Sc A fi fi bdemers t c fa

Slide 35

Slide 35

Confession v1.6 added “formulation” bdemers

Slide 36

Slide 36

A More Secure Future 🍺+🍔 Better Together bdemers

Slide 37

Slide 37

The Path Forward bdemers

Slide 38

Slide 38

Questions? Thank you! bdemers bdemers.io bdemers Learn more