Brussels / 3 & 4 February 2024


12 months of SBOMs - an experience report

The CVE Binary Tool ( is a Python tool which helps you determine if your system includes known vulnerabilities. It takes a variety of inputs including binaries and SBOMs (both SPDX and CycloneDX are supported). Our build process has been generating a SBOM (a build/deploy version using SBOM4Python ( every week and storing it within the GitHub repo. A detailed analysis of the generated SBOMs over the past 12 months has identified a number of interesting observations which were not immediately apparent before SBOMs were being generated. It addresses some key questions such as “How much does an SBOM change and how often?“ and “ Does your SBOM depend on your environment?“. This presentation shares these observations and provides a number of recommendations to be followed when generating SBOMs as part of the build process.


Photo of Anthony Harrison Anthony Harrison