Software Bill of Material (SBOM)
SBOM and Software Supply Chain
A software supply chain is composed of the components, libraries, tools, and processes used to develop, build, and publish a software product.
All software vendors create products by adding open-source and commercial software components to their products.A software bill of materials (SBOM) declares the inventory of components used to build a software artifact such as a software application, device driver or service. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause allergies, SBOMs can help organizations or persons avoid consumption of software that could harm them because of well known security risks (CVE).
We here at sematicon invest a lot to check all our components and products with internal and external PEN-Testings for known and unknown security related issues. But as we are all humans we are not perfect. For full transparency we will provide a fully equipped machine readable SBOM-list to our customers. This will help to ensure transparency and will enable our customers to check all components against their own sources to make sure everything is considered safe.
We provide the following machine readable SBOM-Formats:
Usually commercials and governmental SOCs (Security Operation Centers) can automatically read these SBOM-Format and automatically check them for known vulnerabilities.
Additionally we also provide machine and human readable security advisories in CSAF and HTML-Format as well as Vulnerability Exploitability eXchange (VEX) documents that will allow you to automatically check if a vulnerability does affect our products. Please refer to Vulnerability Information for further details.
Warning
If there is a match between a component and an SBOM-Entry for a vulnerability please do not panic. This does not necessarily mean your product or service is in danger. Usually not all features or modules of an external component is used and our security-team will check this. Ff we are not affected, a VEX report is issued. You can then check your results against our VEX to ensure you are not affected. If you are unsure please contact our SRT-Team by reporting a vulnerability.
Access the SBOM-Files
You can access the SBOM-Files using the following source.
Info
Please be aware this is not a public information. You can request access if you have a valid NDA with us and an ongoing maintenance agreement. Please contact Sales for further information.
Usually access is provided by username and password. But you also can ask for certificate authentication for automated delivery. Just contact our sales department.