Analyzing SBOM for Supply Chain Vulnerabilities

When to Use

• A new regulatory requirement (EO 14028, EU CRA) mandates SBOM analysis for software deliveries
• Security team needs to assess third-party risk by scanning vendor-provided SBOMs
• CI/CD pipeline requires automated vulnerability checks against generated SBOMs
• Incident response needs to determine if a newly disclosed CVE affects deployed software
• Procurement team requires supply chain risk assessment for a software acquisition

Do not use for runtime vulnerability scanning of live systems; use container scanning tools (Trivy, Grype CLI) or host-based vulnerability scanners (Nessus, Qualys) instead.

Prerequisites

• SBOM file in CycloneDX JSON (v1.4+) or SPDX JSON (v2.3+) format
• Python 3.9+ with requests, networkx, and packaging libraries installed
• NVD API key (free, from https://nvd.nist.gov/developers/request-an-api-key) for higher rate limits
• Network access to NVD API (https://services.nvd.nist.gov/rest/json/cves/2.0)
• Optionally: syft for SBOM generation, grype for cross-validation