[robertlagrant]

I don't quite understand the deployment issue. I mean, I understand people might not be tracking what's deployed, but I don't understand what is missing for it to be happening today, other than will.

For example: I build some software into a Docker image, version tag it, sign it, and generate an SBOM for it. That image goes into production with signature validation. Even if I've included 100 jar files in there, I should know exactly which ones I have. I can upload the SBOM to my DependencyTrack[1] instance to so over time no dependencies have vulnerabilities I'm not aware of.

What doesn't work in that scenario? What scenarios can't conform to that one?

[1] https://dependencytrack.org

[markcurphey]

Certainly 'will' is a huge issue, the biggest IMO. I def on't disagree it can be done but my experience and from interviews recently people just don't know. People don't know where their containers are deployed. They know whats in their registries of course but can't trace it all the way though. What I have also seen is people using deploy optimisation tools that dynamically pull from multiple code repos, containers and orchestrate highly optimised global deploys. I def on't disagree it can be done, just it usually isn't.

[robertlagrant]

Right, that makes sense. In that instance, they need to be enforcing some (internal) standards. E.g. "everything should be deployed on monitored k8s so I can pull deployment info from them and find out what I have deployed".

But then, the issue you're now describing doesn't seem to be anything to do with SBOMs being deficient in any way, or lockfiles being bad. How are you connecting those things?

[markcurphey]

100%. Sounds like a great OWASP project to capture those best practices doesn't it ? Want to volunteer ? ;-)