I have a software bill of materials (SBOM) Excel file and I want to somehow track the vulnerabilities being reported for the libraries and applications in it. I know that most of SBOM tracking exists today basically integrated into the build process, but what about when we do not have a build process or only have an Excel file or let's say binary files? I can manually extract libraries list from a binary, but I have no idea if it is possible to basically give the list of software to an application and it alerts me whenever there is a CVE for the library (without integration to the build process). Is there any way to do it?
I heard about CycloneDX and SLSA framework (https://github.com/slsa-framework/slsa). But again Is it possible to do a track by inserting the software version manually? Because it seems like all existing tools are just for the build process and the only way for me is to literally join bug tracking websites mailing list and put a filter for each library that I have.
Any idea?
The OWASP Dependency-Track project does this. You can either load a CycloneDX SBOM with all the components or manually add them in the user interface.
As you already have the dependencies in an Excel spreadsheet, you could use the CycloneDX CLI tool to convert from CSV to CycloneDX format. Although you will need to adjust the column names to match what it is expecting.
The important part is what component identifier and vulnerability sources you are using. CPE is hard to use, but is the only component identifier currently supported by the NVD for CVEs. But OSS Index supports package URL which is much more useful for SBOM use cases.