How are SBOMs useful?
Sticking with the car analogy, let us consider what happens when a component manufacturer determines that there was a defect in a specific batch of airbags they produced? Typically, they issue a recall. Once the recall is issued, the dealer is notified, and then you, the consumer receive a letter from the dealer telling you bring your car in and have your airbag replaced. This whole system works because the manufacturer and dealer are required by regulation to participate in a data-sharing relationship.
So if car parts are like software packages, wouldn't it be great if there were some sort of data-sharing
relationship that software producers and consumers could participate in? It turns out there is!
It's called National Vulnerability Database or NVD, and it's
maintained by the National Institute of Standards and Technology (NIST).
Security researchers from across both industry and academia submit their findings to the NVD
and updates are published weekly.