Monitor for Updates
Tracking SBOM and VEX changes from suppliers over time
SBOMs and VEX documents aren't static artifacts—they evolve as software changes, vulnerabilities are discovered, and component compositions shift. Vendor releases new product version with updated dependencies. Security researcher publishes CVE affecting component in deployed software. Vendor publishes VEX document changing vulnerability status from "under investigation" to "not affected." Each change represents information consumers need to maintain accurate risk understanding.
Organizations that treat SBOM as one-time procurement checkbox miss continuous value. Initial SBOM snapshot is immediately outdated the moment vendor ships patch. Without update monitoring, consumers operate on stale data making wrong decisions: deploying software they believe is patched but isn't, worrying about vulnerabilities that VEX documents have explained away, missing new vulnerabilities introduced in recent updates.
Systematic update monitoring transforms SBOM from point-in-time snapshot to living documentation. Know when suppliers change component composition. Receive alerts when new vulnerabilities affect deployed software. Track vendor responsiveness to security disclosures. Build comprehensive understanding of supply chain changes over time.
Update Types to Monitor
Different update events warrant different monitoring approaches and response priorities.
New Software Versions
When vendors release new software versions, corresponding SBOMs describe updated component composition.
Monitoring approach: Subscribe to vendor release notifications (RSS feeds, email lists, API webhooks). When new version announced, retrieve updated SBOM. Compare against previous version SBOM to identify component changes.
Change analysis:
def analyze_sbom_changes(old_sbom, new_sbom):
"""Compare SBOMs and identify component changes"""
old_components = {c['purl']: c for c in old_sbom.get('components', [])}
new_components = {c['purl']: c for c in new_sbom.get('components', [])}
changes = {
'added': [],
'removed': [],
'updated': [],
'unchanged': 0
}
# Find added and updated components
for purl, component in new_components.items():
if purl not in old_components:
changes['added'].append(component)
elif old_components[purl]['version'] != component['version']:
changes['updated'].append({
'component': component['name'],
'old_version': old_components[purl]['version'],
'new_version': component['version']
})
else:
changes['unchanged'] += 1
# Find removed components
for purl in old_components:
if purl not in new_components:
changes['removed'].append(old_components[purl])
return changesChange analysis reveals: Did vendor upgrade vulnerable components? Did they add new dependencies increasing attack surface? Did they remove components we depend on?
Decision drivers:
- Major component upgrades (Express 4.x to 5.x) may introduce breaking changes requiring testing before deployment
- Vulnerability fixes warrant faster deployment
- New component additions require license compliance review
- Component removals might break functionality if we relied on them
SBOM Corrections and Enrichments
Vendors sometimes update SBOMs for existing software versions—correcting errors, adding missing components, enriching metadata.
Monitoring approach: Track SBOM file timestamps and version identifiers. When SBOM for already-deployed software version changes, investigate what was corrected.
Correction significance:
High impact corrections:
- Previously missing vulnerable component now documented (discovers exposure we didn't know existed)
- Component version corrections (thought we had patched 1.2.5, actually running vulnerable 1.2.3)
- License changes (component we thought was MIT is actually GPL)
Low impact enrichments:
- Added metadata (supplier information, hashes, external references)
- Format improvements (better PURL coverage, added relationships)
- Documentation updates (comments, descriptions, evidence)
High-impact corrections require immediate response—vulnerability assessment, compliance review, deployment verification. Low-impact enrichments simply improve SBOM quality for future use.
VEX Document Publications
VEX documents communicate vulnerability status changes. Monitoring VEX updates is critical for accurate risk assessment.
Monitoring approach:
Subscription mechanisms:
- Vendor security advisory RSS feeds
- VEX-specific webhook notifications (if vendor supports)
- Periodic polling of vendor VEX repositories
- Email security bulletin subscriptions
VEX update processing:
def process_vex_update(vex_document, sbom_repository):
"""Process VEX document and update vulnerability status"""
cve_id = vex_document['vulnerability']['id']
affected_products = vex_document['products']
for product in affected_products:
# Find product in SBOM repository
sbom = sbom_repository.find_sbom(product['id'])
if not sbom:
continue
# Update vulnerability status
new_status = vex_document['status']
previous_status = get_current_status(sbom, cve_id)
if previous_status != new_status:
update_vulnerability_status(sbom, cve_id, {
'status': new_status,
'justification': vex_document.get('justification'),
'updated_at': vex_document['timestamp']
})
# Generate alerts for significant status changes
if should_alert(previous_status, new_status):
alert_security_team(product, cve_id, previous_status, new_status)Status change significance:
Critical alerts:
- "not_affected" changes to "affected" (new analysis reveals vulnerability applies after all)
- "under_investigation" changes to "affected" (confirms vulnerability requires action)
- No VEX becomes "affected" (vendor acknowledges exposure)
Positive updates:
- "affected" changes to "fixed" (patch available)
- "under_investigation" changes to "not_affected" (confirmed safe)
- New "not_affected" VEX (proactive vendor communication reducing concern)
Informational:
- "under_investigation" remains "under_investigation" with updated timeline
- Additional justification details without status change
Component Vulnerability Discoveries
Even without vendor communication, new CVEs published daily. Monitor vulnerability databases for newly-disclosed issues affecting components in deployed SBOMs.
Monitoring approach:
Database subscriptions:
- NVD (National Vulnerability Database) RSS feeds
- GitHub Security Advisories
- OSV (Open Source Vulnerabilities) database
- Vendor-specific security bulletins
Automated correlation:
def correlate_cves_with_sboms(new_cves, sbom_repository):
"""Check if newly published CVEs affect any SBOMs"""
findings = []
for cve in new_cves:
# Extract affected components from CVE
affected_components = extract_affected_components(cve)
for component in affected_components:
# Query SBOM repository
affected_sboms = sbom_repository.find_sboms_with_component(
name=component['name'],
version_range=component['version_range']
)
if affected_sboms:
findings.append({
'cve': cve['id'],
'severity': cve['cvss_score'],
'component': component,
'affected_products': [s['product'] for s in affected_sboms],
'requires_vendor_vex': True
})
return findingsProactive CVE correlation enables you to ask vendors about impact before customers ask you. "CVE-2024-5678 published yesterday affecting component-x which your product uses. Can you provide VEX status?"
Monitoring Infrastructure
Polling vs. Push
Polling approach: Periodically check vendor locations (download portals, API endpoints, repositories) for updated SBOMs and VEX documents.
Advantages:
- Works with any vendor (no special vendor support required)
- Consumer controls check frequency
- Simple to implement
Disadvantages:
- Delayed awareness (updates might occur between polls)
- Inefficient (checking when nothing changed)
- Scaling challenges (polling 100 vendors hourly creates load)
Implementation:
# Cron-based daily SBOM update checking
0 2 * * * /usr/local/bin/check-vendor-sbom-updates.sh
# check-vendor-sbom-updates.sh
#!/bin/bash
for vendor in €(list-vendors); do
LATEST_SBOM=€(fetch-latest-sbom €vendor)
STORED_SBOM=€(get-stored-sbom €vendor)
if [ "€LATEST_SBOM" != "€STORED_SBOM" ]; then
echo "Update detected for €vendor"
ingest-updated-sbom €vendor €LATEST_SBOM
alert-subscribers €vendor
fi
donePush approach: Vendors notify consumers when updates available via webhooks, email, or messaging services.
Advantages:
- Immediate awareness
- Efficient (only notified when changes occur)
- Scales to many vendors
Disadvantages:
- Requires vendor support (many vendors don't offer push notifications)
- Webhook infrastructure needed (endpoint to receive notifications, authentication, reliability)
- Depends on vendor reliability (missed notifications if vendor system fails)
Implementation:
# Webhook endpoint for vendor SBOM notifications
@app.route('/webhooks/sbom-updated', methods=['POST'])
def handle_sbom_update():
"""Receive vendor SBOM update notification"""
data = request.json
# Verify webhook authenticity
if not verify_webhook_signature(request.headers, request.data):
return {'error': 'Invalid signature'}, 401
# Extract notification details
vendor = data['vendor']
product = data['product']
version = data['version']
sbom_url = data['sbom_url']
# Fetch updated SBOM
sbom = fetch_sbom(sbom_url)
# Ingest and analyze
changes = analyze_changes(product, version, sbom)
# Notify relevant teams
if changes['security_relevant']:
notify_security_team(product, version, changes)
return {'status': 'processed'}, 200Hybrid approach: Use push notifications where vendors support them, fall back to polling for vendors without push capabilities. Best-of-both-worlds balancing immediate awareness with universal coverage.
Change Detection Methods
Hash-based detection: Calculate hash (SHA-256) of SBOM file. When hash changes, SBOM content changed. Simple and reliable but doesn't distinguish meaningful changes from cosmetic formatting updates.
def detect_sbom_change(sbom_url, previous_hash):
"""Detect if SBOM changed via hash comparison"""
current_sbom = fetch_sbom(sbom_url)
current_hash = hashlib.sha256(current_sbom.encode()).hexdigest()
if current_hash != previous_hash:
return {
'changed': True,
'previous_hash': previous_hash,
'current_hash': current_hash
}
return {'changed': False}Semantic comparison: Parse SBOMs and compare component lists, versions, metadata. Distinguishes meaningful changes (component version updates) from irrelevant changes (timestamp updates, formatting). More complex but provides better change characterization.
def detect_semantic_changes(old_sbom, new_sbom):
"""Identify meaningful SBOM changes"""
component_changes = compare_component_lists(old_sbom, new_sbom)
license_changes = compare_licenses(old_sbom, new_sbom)
vulnerability_changes = compare_vulnerability_status(old_sbom, new_sbom)
return {
'has_meaningful_changes': any([
component_changes['added'],
component_changes['removed'],
component_changes['updated'],
license_changes,
vulnerability_changes
]),
'changes': {
'components': component_changes,
'licenses': license_changes,
'vulnerabilities': vulnerability_changes
}
}Version metadata: Some SBOM formats include version or serial number fields. Comparing these values provides lightweight change detection without full SBOM parsing.
Notification and Alerting
Not all updates warrant immediate human attention. Implement tiered alerting based on change significance.
Critical alerts (immediate escalation):
- New vulnerability affecting deployed software (CVSS 7.0+)
- VEX status change from "not_affected" to "affected"
- SBOM correction revealing previously unknown vulnerable component
- Supplier fails to provide SBOM update within SLA timeframe
High-priority notifications (business hours response):
- New software version with security fixes available
- VEX documents answering pending vulnerability inquiries
- Medium-severity vulnerability disclosures (CVSS 4.0-6.9)
Informational updates (daily digest):
- New software versions without security changes
- SBOM enrichments and metadata improvements
- VEX status updates for low-severity issues
- License information updates
Alert routing:
def route_update_alert(update, severity):
"""Route update notifications to appropriate teams"""
if severity == 'CRITICAL':
# Page on-call security team
send_pagerduty_alert(update)
# Post to urgent Slack channel
post_slack('#security-urgent', format_alert(update))
# Email security leadership
send_email(SECURITY_LEADERS, format_email_alert(update))
elif severity == 'HIGH':
# Post to security team channel
post_slack('#security-team', format_notification(update))
# Create Jira ticket
create_jira_ticket('SEC', format_ticket(update))
elif severity == 'INFORMATIONAL':
# Add to daily digest
add_to_digest(update)
# Log for audit trail
log_update(update)Tracking Vendor Responsiveness
Monitoring updates enables measuring vendor performance and responsiveness.
Metrics:
Time to SBOM update: Days from software release to updated SBOM availability. Target: same day for automated vendors, within 3 days for manual processes.
VEX publication latency: Hours from CVE publication to vendor VEX status document. Target: 48 hours for high-severity, 7 days for medium-severity.
Update consistency: Percentage of releases with corresponding SBOM updates. Target: 100%. Gaps indicate vendor forgot or doesn't prioritize SBOM maintenance.
Communication quality: Do vendors proactively notify of updates or must consumers discover them? Proactive communication demonstrates maturity.
Vendor scorecard:
| Vendor | Avg SBOM Latency | VEX Latency | Update Consistency | Communication | Overall |
|---|---|---|---|---|---|
| Acme Corp | 1 day | 36 hours | 100% | Proactive | Excellent |
| Beta Systems | 14 days | No VEX | 67% | Reactive | Poor |
Track trends. Improving vendors reward feedback and collaboration. Declining vendors may need escalation or alternative evaluation.
Integration with Change Management
SBOM and VEX updates should flow into change management processes.
Deployment decisions: New software version available with security fixes? SBOM comparison shows vulnerability remediation? Expedite deployment through change approval.
Risk assessment: SBOM shows new GPL-licensed dependencies? Requires legal review before deployment. VEX documents explain vulnerabilities as "not affected"? Reduces urgency of patching.
Regression planning: Major component version changes (dependency framework updates) identified in SBOM comparison? Schedule regression testing before production deployment.
Vendor performance tracking: Vendors who consistently provide timely SBOM updates and VEX documents earn higher trust scores in vendor risk assessments.
Common Monitoring Pitfalls
Pitfall: Alert fatigue from over-notification Every SBOM update triggers alert regardless of significance. Teams ignore notifications, miss critical updates buried in noise.
Prevention: Tiered alerting based on change significance. Critical issues = immediate escalation. Informational updates = daily digest.
Pitfall: No monitoring automation Manual checking of vendor portals for updates. Doesn't scale. Updates missed. Inconsistent coverage.
Prevention: Automated monitoring infrastructure (polling or webhooks). Systematic checking ensures no vendors fall through cracks.
Pitfall: Monitoring without response capability Detecting updates but lacking processes to act on them. Awareness without action delivers no value.
Prevention: Connect monitoring to operational workflows. Update detected = trigger vulnerability assessment, create tickets, notify owners.
Pitfall: Ignoring VEX documents Monitoring SBOM updates but not VEX publications. Miss vendor explanations of vulnerability status, create unnecessary work investigating issues vendor already addressed.
Prevention: Monitor VEX publications with equal priority to SBOM updates. Both are critical transparency artifacts.
Next Steps
- Establish monitoring foundation via Ingest and Store
- Act on updates through Assess and Act
- Understand change drivers in Core Concepts - SBOM and VEX Lifecycle
- Track vendor performance using Use Cases - Supplier Transparency