SBOM and VEX represent an important step towards managing software products and software vulnerabilities more efficiently and effectively. The accelerating development of standards and tooling is driven by the promise to answer one important question: Which of the thousands of CVEs published per year affect a given software product?

However, the mere presence of such documents can lull consumers into a false sense of security. Studies have shown that the accuracy of SBOM and VEX documents greatly varies from one producer to another.

The production of accurate SBOM and VEX documents requires connecting products to components, components to vulnerabilities and vulnerabilities to (vulnerable) functions. But establishing those connections is hindered by development practices, the dynamics of open source projects, low-quality vulnerability databases and other factors…

This talk provides a deep dive into the brittleness of those connections, supported by real-world examples from the Java/Maven ecosystem. This information helps SBOM and VEX consumers to ask the right questions when it comes to evaluating and comparing tools and vendors.