[h4ck_th3_pl4n3t]

CycloneDX tools offer packages for each and every programming language. [1]

The dependency track project accumulates all dependency vulnerabilities in a dashboard. [2]

Container SBOMs can be generated with syft and grype [3] [4]

[1] https://github.com/CycloneDX

[2] https://github.com/DependencyTrack

[3] https://github.com/anchore/syft

[4] https://github.com/anchore/grype

[boricj]

SBOMs can't flag vulnerable dependencies until after those are publicly known. Traceability is useful when mitigating a crisis, but it won't prevent one.

[h4ck_th3_pl4n3t]

> Traceability is useful when mitigating a crisis, but it won't prevent one.

So how do you prevent a crisis then without knowing what your software stack has as dependencies?