No longer miss unpublished vulnerabilities!
Version 1.5.0 of BOMnipotent can periodically query other CSAF servers.
Today’s ecosystem for managing the security of the software supply chain has become pretty mature. Especially open-source projects are publishing more and more vulnerabilities to various databases, thus making them available to tools used in automation.
There is a blindspot, though. Most closed-source vendors do not publish their vulnerabilities to these databases, at least not right away. This is not a shortcoming but a tactical decision: The vendors inform their customers first, to give them a chance to react to the issue before potential attackers learn of its existence. The tradeoff is that the customers may have to set up and montior a separate channel per closed-source vendor.
The CSAF standard was created to unify this flow of information and decrease the time between the release of a patch and its application. Vendors can create advisories and upload them with a TLP classification. These documents are then not visible to the public, but only to authenticated customers.
Beginning with v1.5.0, you can set up a periodic task that makes BOMnipotent Server query a CSAF server for its advisories. You can provide this task with a client TLS certificate, which is the authentication method most CSAF servers currently implement. After the CSAFs have been loaded, the server will match them against your BOMs, just like tools for open-source vulnerabilities would. If there is a match, and if the CSAF states that the component is affected, a new vulnerability is created. This seamlessly integrates vulnerabilities of closed-source components with the publicly available ones.
To my knowlege, BOMnipotent is currently the only software with this capability.
The full changelog can, as always, be found in the documentation.
