Various tools producing SBOMs for pre-built artifacts, such as container images, usually provide only a flat list of components - packages, libraries, RPMs, and binaries - without explaining where any of them originated. But why does this origin information matter, and how can we obtain it?

To simply introduce the concept, imagine your build ecosystem as a bakery: the built container is the loaf of bread, and your SBOM is the ingredient label on the package. While customers only see a flat list of ingredients, bakers actually care about where each one came from, because they are responsible for the quality and safety of the final product. The same applies to components in a Containerfile. As the "building factory", we need to know the provenance of every package, library, and binary - not just that it exists, but whether it came from a base image, a builder stage, or was installed directly in the final Containerfile. This provenance information, captured in a Contextual SBOM, is essential for effective vulnerability management. Once an issue appears, understanding vulnerability origin determines whether we must update a base or builder images, update a Containerfile-installed package, or rethink the build process entirely.

In this talk, we will show how we transform a plain, flat SBOM into a structured, layered Contextual SBOM, and what benefits this brings. We will demonstrate how contextual provenance helps us identify vulnerabilities faster and more reliably, and how it improves our overall vulnerability-management workflow.

Key Topics: - Limitations of traditional SBOMs: Why flat, non-contextual SBOMs fall short in containerized build environments where content origin is unclear - Introducing Contextual SBOM: An overview of contextual SBOMs and how they enrich component data with provenance - Differentiation base image vs. installed content: distinguishing inherited base-image content from software added directly in the Containerfile - Tracing builder-stage content: Identification and attributing content copied from builder stages in multistage builds to final image - Using Contextual SBOMs in vulnerability management: How provenance-aware SBOMs accelerate triage, clarify responsibility, and improve remediation decisions

This talk is ideal for security professionals, compliance officers, compliance auditors, developers and anyone involved in the supply chain aspects of software.

Relevant repositories: https://github.com/konflux-ci/mobster https://github.com/konflux-ci/capo