Chapter 54 Quiz: SBOM Operations & Software Composition Analysis¶

Test your knowledge of Software Bill of Materials formats (SPDX vs CycloneDX), SBOM generation tools, dependency analysis, dependency confusion attacks, license compliance, vulnerability correlation, malicious package detection, SCA pipelines, VEX integration, and SBOM security architecture.

Questions¶

1. What is a Software Bill of Materials (SBOM), and why did Executive Order 14028 make it a federal requirement?

• A) An SBOM is a vulnerability scan report
• B) An SBOM is a machine-readable inventory of all software components, dependencies, and metadata in a product — EO 14028 mandated SBOMs for federal software procurement because supply chain attacks (SolarWinds, Log4Shell, Codecov) demonstrated that organizations cannot defend what they cannot see, and SBOMs provide the visibility needed to rapidly answer "are we affected?" when a new vulnerability is disclosed in any dependency
• C) An SBOM only lists open-source components, not proprietary ones
• D) EO 14028 only applies to defense contractors

2. Compare SPDX and CycloneDX SBOM formats. What are the key differences in design philosophy and use cases?

• A) They are identical formats with different names
• B) SPDX (ISO/IEC 5962) was designed for license compliance and originated from the Linux Foundation — it excels at tracking copyright, licensing (SPDX license identifiers), and provenance. CycloneDX (OWASP) was designed for security and risk management — it excels at vulnerability tracking, VEX integration, and supply chain intelligence. SPDX supports more output formats (JSON, RDF, YAML, tag-value, XML) while CycloneDX is JSON/XML-focused. CycloneDX natively supports VEX documents within the SBOM; SPDX handles VEX through separate linkage
• C) SPDX is deprecated in favor of CycloneDX
• D) CycloneDX cannot represent license information

3. What is a dependency confusion attack, and why does it specifically exploit the relationship between internal and public package registries?

• A) Dependency confusion is when developers install the wrong version of a package
• B) Dependency confusion exploits how package managers resolve names when both internal and public registries exist — an attacker discovers internal package names (via leaked SBOMs, job postings, or error messages), registers identically-named packages on the public registry with higher version numbers, and when a developer's package manager falls back to the public registry (due to misconfiguration, missing scope, or registry ordering), it installs the attacker's malicious package because the public version number (99.0.0) is higher than the internal version (2.3.1)
• C) Dependency confusion only affects Python packages
• D) Using private registries eliminates the risk entirely

4. How does a VEX (Vulnerability Exploitability eXchange) document complement an SBOM in vulnerability management workflows?

• A) VEX replaces the need for SBOMs
• B) An SBOM tells you "this product CONTAINS vulnerable component X" but cannot answer "is the vulnerability actually EXPLOITABLE in this product?" — VEX provides exactly that answer with four status values: not_affected (component present but vulnerability not reachable via code path, configuration, or compensating control), affected (vulnerability is exploitable — remediation required), fixed (was affected, now remediated), under_investigation (assessment ongoing) — this prevents organizations from wasting resources patching vulnerabilities that exist in their SBOM but cannot be triggered
• C) VEX documents are only used by government agencies
• D) VEX status is embedded directly in CVE records

5. What are transitive dependencies, and why do they represent the largest attack surface in modern software supply chains?

• A) Transitive dependencies are optional development tools
• B) Transitive dependencies are indirect dependencies — packages that your direct dependencies depend on, recursively — a typical Node.js application with 20 direct dependencies may have 500-1,500 transitive dependencies, most of which the developer has never reviewed, creating a massive attack surface because: any single compromised transitive dependency can inject malicious code into every application that depends on it, version ranges in lockfiles may auto-upgrade to compromised versions, and developers have no visibility into transitive dependency changes without SBOM tooling
• C) Transitive dependencies are only found in Python projects
• D) Lockfiles eliminate all transitive dependency risks

6. What is GPL contamination in the context of license compliance, and how can SBOM-based license analysis prevent it?

• A) GPL contamination is a type of malware
• B) GPL contamination occurs when a copyleft-licensed component (GPL, AGPL) is included in proprietary software — under copyleft terms, the entire derivative work may be required to be released under the same open-source license, potentially forcing disclosure of proprietary source code — SBOM-based license analysis automatically scans all components (including transitive dependencies) for copyleft licenses, flags risk before distribution, and enables legal review of license compatibility before the software ships
• C) GPL only applies to Linux kernel code
• D) Using MIT-licensed wrappers around GPL code eliminates the obligation

7. An SCA (Software Composition Analysis) pipeline detects that a dependency has a known critical vulnerability (CVSS 9.8). What gating strategy should the CI/CD pipeline use?

• A) Block all builds with any known vulnerability regardless of severity
• B) Apply a risk-based gating strategy: Critical vulnerabilities (CVSS ≥ 9.0) with EPSS > 0.5 block the build immediately and require developer remediation. High vulnerabilities (CVSS 7.0-8.9) generate a warning and create a tracking ticket with a 7-day SLA. Medium/Low vulnerabilities are logged for batch review. All gates should support exception workflows — if the VEX status is not_affected, the vulnerability should not block the build even if CVSS is Critical, because the code path is not reachable
• C) Only block if the vulnerability is listed in CISA KEV
• D) SCA should only run weekly, not on every build

8. Describe the difference between SBOM generation at build time vs. at container image analysis time. Which is more accurate?

• A) They produce identical results
• B) Build-time SBOM generation (e.g., Syft analyzing package-lock.json during CI) captures the exact dependency tree as resolved by the package manager, including development dependencies. Container image analysis (e.g., Trivy scanning a Docker image) captures only the runtime components actually installed in the image, which may exclude dev dependencies but also reveals OS-level packages (glibc, openssl) and system libraries that build-time analysis misses — the most accurate approach is to generate BOTH and merge them, as build-time catches application dependencies precisely while image analysis catches the full runtime stack including OS packages
• C) Container image analysis is always more accurate
• D) Build-time analysis captures OS packages automatically

9. How can a published SBOM be weaponized by an attacker, and what mitigations balance transparency requirements with security?

• A) SBOMs cannot be weaponized — they only contain component names
• B) A published SBOM reveals internal package names (enabling dependency confusion), exact version numbers (enabling targeted exploits for known CVEs in those versions), dependency relationships (revealing the most impactful component to compromise), and technology stack details (guiding attack tool selection) — mitigations include: redacting internal package names (use hashed identifiers), publishing SBOMs only to authorized consumers (not public websites), reserving internal package names on public registries, implementing SBOM access controls with authentication, and using delayed publication (publish SBOM after patch availability, not before)
• C) Only government-mandated SBOMs can be weaponized
• D) Removing version numbers from SBOMs eliminates the risk

10. What is the SBOM maturity model, and what distinguishes a Level 1 organization from a Level 5 organization?

• A) Maturity levels only measure SBOM format compliance
• B) Level 1 (Ad Hoc): SBOMs generated manually on request, no automation, no policy, used only for compliance checkbox. Level 5 (Optimized): SBOMs generated automatically for every build in CI/CD, real-time vulnerability correlation with NVD/EPSS, automated VEX generation, SBOM diff monitoring between releases, license compliance gates in pipeline, SBOM distribution via CSAF trusted provider, full supply chain graph visibility across all products, and SBOM data feeding into risk quantification models — the difference is that Level 1 answers "what's in our software?" reactively while Level 5 answers "what changed, is it vulnerable, is it exploitable, and what's the business risk?" automatically and continuously
• C) All organizations start at Level 3
• D) Level 5 requires commercial SBOM tools; open-source tools can only reach Level 3

11. What is Sigstore/Cosign, and how does it provide supply chain integrity for container images and SBOMs?

• A) Sigstore is a vulnerability scanner
• B) Sigstore is a suite of open-source tools for software supply chain integrity — Cosign signs container images and artifacts (including SBOMs) with cryptographic signatures, Rekor provides a tamper-evident transparency log recording all signing events, and Fulcio issues short-lived certificates tied to OIDC identities (GitHub, Google) — this enables verifiable provenance: consumers can cryptographically verify that an image was built by a specific CI pipeline, signed by a specific identity, and the attached SBOM was generated at build time and hasn't been tampered with
• C) Sigstore only works with Docker Hub
• D) Cosign requires managing long-lived signing keys

12. A developer adds a new npm package to the project. The SBOM diff between the current and previous build reveals 47 new transitive dependencies. What should the SCA pipeline do?

• A) Automatically approve — developers choose their own dependencies
• B) Flag for security review: (1) scan all 47 new transitive dependencies for known vulnerabilities, (2) check licenses of all 47 against the approved license list, (3) verify package provenance (maintainer history, download counts, age of package), (4) check for typosquatting indicators (name similarity to popular packages, recent creation date, single maintainer), (5) compare against known malicious package databases (Socket.dev, Phylum, Snyk), (6) if all checks pass, approve with a note in the PR — if any flag triggers, block merge until human review
• C) Block the merge — 47 new dependencies is always excessive
• D) Only check the direct dependency, not the transitive ones

13. How does SBOM diff monitoring between releases improve supply chain security posture?

• A) SBOM diffs only show version number changes
• B) SBOM diff monitoring compares the component inventory between consecutive releases and alerts on: new components added (potential supply chain expansion), components removed (potential feature regression), version changes (upgrades that may introduce new vulnerabilities OR fix existing ones), license changes (a previously MIT-licensed dependency switching to AGPL), maintainer changes (detected via package metadata — a new maintainer could indicate a takeover), and hash changes without version bumps (potential tampering) — this provides continuous assurance that the software supply chain hasn't been manipulated between releases
• C) SBOM diffs only work with CycloneDX format
• D) Weekly SBOM diffing is sufficient for security monitoring

14. What detection query would identify potential dependency confusion attacks in your environment?

• A) Monitor npm audit output only
• B) Monitor DNS and network traffic from developer workstations for indicators of malicious postinstall scripts: unusual DNS TXT queries with base64-encoded subdomains (data exfiltration), outbound HTTP/S connections to unfamiliar domains from node/python processes during package installation, unexpected child processes spawned by npm/pip/gem during install, and file access to sensitive paths (~/.ssh/, ~/.aws/, .env files) by package manager child processes — additionally, monitor the package registry for resolution mismatches: packages resolved from the public registry that match internal naming patterns
• C) Check package.json for typos manually
• D) Only scan production servers, not developer workstations

15. Your organization is starting an SBOM program from scratch. Design the first 90 days.

• A) Start by purchasing an enterprise SBOM platform
• B) Days 1-30: Inventory and tooling — select SBOM format (CycloneDX for security focus), deploy generation tools (Syft for containers, cdxgen for applications) in ONE pilot CI/CD pipeline, generate first SBOMs, validate accuracy against manual dependency audit. Days 31-60: Vulnerability correlation — integrate Grype or Trivy for SBOM-based vulnerability scanning, configure severity-based CI/CD gating (block Critical + High EPSS), establish exception workflow, begin consuming vendor VEX feeds. Days 61-90: Operationalize — expand SBOM generation to all pipelines, implement license compliance scanning, begin SBOM diff monitoring between releases, reserve internal package names on public registries, create SBOM policy document, brief leadership on supply chain visibility improvements with metrics
• C) Focus exclusively on license compliance for the first 90 days
• D) Generate SBOMs for all products simultaneously from day 1

Scoring Guide¶