SBOM Observer's Impact Analysis Feature

Managing software vulnerabilities requires more than just identification; it demands a clear understanding of their practical impact on your operations. SBOM Observer simplifies this task, allowing users to quickly perform an impact analysis on vulnerabilities.


Understanding Impact with SBOM Observer

Upon detecting a vulnerability, questions arise:

  • Which of our components are impacted?
  • Are these components live in our production environment?
  • Is our customer base at risk?

SBOM Observer connects potential vulnerabilities with actual impacts, integrating Software Bill of Materials (SBOMs) into diverse operational contexts. This integration ensures a comprehensive understanding, overcoming the limitations of incomplete insights and leading to more accurate risk assessments.

Impact Analysis in SBOM Observer

  1. Vulnerability Lookup: You can always click through different vulnerabilities, but a common use case is that you need to find out the impact of a specific vulnerability. The easiest and quickest way is to search for the vulnerability identity.
  2. Analyze Impact: SBOM Observer is able to show you a complete view of all components impacted by a specific vulnerability by simply clicking on the Analyze button.
  3. Impact Dependency Chart: By clicking Graph you get a visualization of the entire impacted dependency tree.

Impact Analysis Example

In this example an application is connected to an environment.

  1. We've searched for vulnerability CVE-2022-45787 and get a match.

  2. By clicking on Analysis, the result of the analysis shows that the keycloak application is impacted, the number of vulnerabilities as well as potential policy violations.

  3. Clicking on Graph in the top of the page gives us a visualization of the impact in a dependency tree.

VEX data as part of the impact analysis

Note that you're also able to include your own analysis of the impact through adding Vulnerability Exploitability eXchange (VEX) data, either manually or importing VEX documents.

In simplifying the labyrinth of dependencies, vulnerabilities, and operational stakes, SBOM Observer ensures organizations are not only informed but poised to respond swiftly and precisely.