Vulnerability Management

Hey SBOM community 👋 If you’ve been using sbomqs for a while, you know it does a solid job of telling you what’s in your SBOM, not just that fields exist, but what values they actually hold. Names, versions, licenses, suppliers, checksums, PURLs, CPEs — every field and its corresponding value, laid out right there in your SBOM. And when something’s missing? The score command returns a 0 score on it so you can’t miss it, while the list command shows you exactly which components are empty and which ones have real values. It’s a transparent, no-nonsense way to audit your SBOM’s contents. ...

This blog post describes how OwnersBox quickly mitigated the threat of the “Shai-Hulud” npm supply chain attack in September 2025. The attack involved malicious packages that stole credentials and aggressively self-propagated.

Hey SBOM enthusiasts 👋 An SBOM isn’t just a list of components anymore — it has detailed information of your software, which contains hundreds of components. And that’s what gives you the transparency of each and every component: such as, who authored it, who supplies it, under what license it’s released, and even what known vulnerabilities it carries. In other words, it’s not just an inventory — it’s visibility into the very DNA of your software. ...