Stop Comparing CVE Counts: How SBOM deltas explain upstream vs hardened image security
Introduction Today, I’m not here to talk about SBOM scoring, compliance, NTIA , or anything as usual. Instead, I want to highlight a completely different, but very real SBOM use case. This isn’t a theoritical problem, it straight came out from a Redit thread: https://www.reddit.com/r/sysadmin/comments/1p1xegu/how_to_verify_vulnerability_deltas_between/ Reddit issue (simplified) I compared hardened base images with their official upstream images. Theoretically, CVEs should drop…. but scanner results don’t always match reality. ...