Document Management

BOMnipotent knows two types of supply chain security documents: Bills of Materials (BOMs) and Common Security Advisory Format (CSAF) documents. In addition, it can host information on vulnerabilities associated with a BOM.

A typical document management workflow looks like this:

1. A new version of a product is released, together with its corresponding BOM. The BOM may for example be generated with syft . This document is uploaded to the server. In contrast to the other documents, BOMs should be treated as static data. Modifying or deleting BOMs is possible, but rare.
2. An automated tooling or script regularly downloads the BOMs, and checks them for vulnerabilities. This may for example be done with grype . The findings are updated on the server.
3. Another tooling or script regularly checks the BOMnipotent Server for new vulnerabilities and sounds an alarm when it finds one. A human mind is needed!
4. The human thoroughly analyses the vulnerability and determines if and how your customers have to react. They create a CSAF document, using for example secvisogram . The CSAF document is uploaded to BOMnipotent Server.
5. Your consumers will now find the new CSAF document when they poll your instance of BOMnipotent Server.