How a Software Bill of Materials Uncovers Known Vulnerabilities

Author, Derek Weeks

Bill of Materials - 01

In two minutes, we can show you a full software bill of materials for your application.  We can also identify any known vulnerabilities in the open source and third-party components within your Java application.  Oh, and by the way, it’s free.

That’s right, at Sonatype, we could not be more in favor of the code reuse that occurs millions of times a day thanks to the availability of open source and third-party components.  At the same time, we are steadfastly against the reuse of known vulnerable versions of components in your applications.  Spread the good, not the bad.  Simple, right?

Where other worthwhile approaches to application security might take hours or even days to return actionable insight, our open source risk assessment can return a summary of known vulnerabilities and license risks in under two minutes.  All you have to do is download our small analysis app.  You will also have access to a full software Bill of Materials — listing all open source and third-party components used in your app.

Oh, and one more thing: you do not upload your app to us for analysis — it stays with you the whole time.

When 90% of typical modern application might be composed of open source components, a quick analysis is worth your while.  What does the multi-page report look like?  It starts with this executive summary of the software bill of materials.  Check it out:

Bill of Materials - 02

Want to analyze your known vulnerabilities and license risks within your own app? You can skip to Application Health Check right now.

But, hey what about specifics?  If your analysis summary does happen to return with known open source risks, we can send you all of the details for each component.  The details will not only be delivered promptly, they will also be clear and actionable.  Here are some sample of the security violation details (again, all free to you):

Bill of Materials - 03

Within the same report, you will also receive a complete software Bill of Materials of the open source components used within your application.  This is a great asset that can be used with your own application or for Java applications you might be using from other vendors.

Bill of Materials - 04

Our new and improved Application Health Check is an open source risk assessment offered as a free community service.  As part of our mission to help you build trusted applications and keep them that way over time, we hope this service can help your organization identify avoidable open source risks in the applications you build for your own clients and customers.

The following two tabs change content below.

Derek Weeks

VP and DevOps Advocate at Sonatype
Derek is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies, reduce security risks, and sustain long-lasting competitive advantages. He currently serves as vice president and DevOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation. Derek is a distinguished international speaker and lectures regularly on modern software development practices, continuous delivery and DevOps, and application security. He shares insights regularly across the social sphere where you can find him at @weekstweets and

Related posts