<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> they can theoretically be useful for security researchers looking to identify the blast radius on a library bug, too.</p><p>but I say "theoretically" because in my experience SBOMs are rarely accurate enough unless they're automated as part of a CI pipeline AND manually gap-analysed with reasonable frequency to catch overlooked dependencies, which literally nobody does because it's utterly tedious and not really beneficial in the general day-to-day case.</p>
