SBOMs can't flag vulnerable dependencies until after those are publicly known. T... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		boricj on Aug 19, 2024 \| parent \| context \| favorite \| on: Ask HN: Pragmatic way to avoid supply chain attack... SBOMs can't flag vulnerable dependencies until after those are publicly known. Traceability is useful when mitigating a crisis, but it won't prevent one.

h4ck_th3_pl4n3t on Aug 21, 2024 [–]

> Traceability is useful when mitigating a crisis, but it won't prevent one.

So how do you prevent a crisis then without knowing what your software stack has as dependencies?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact