The idea is that users of software or products containing software can understand the components in it and make informed decisions on what to do.
The classic example is an MRI machine at a hospital. You hear about a bug in the Java Spring library that must be patched asap. You need to do a complete inventory of everything in the hospital running software to decide if it is vulnerable or not.
When you get to the MRI machine: what OS does it run? Is it using Java and the affected component? Is the component an affected version?
Asking the manufacturer for everything for every security vulnerability is not scalable and may not result in accurate answers. By giving the consumer more info they are more empowered to act and make intelligent decesions.
I'm confused. When would I need "https://dependencytrack.org/"? Is it when I've completely lost my marbles and can no longer answer the questions "what does your app run on" and "what are your app's dependencies"? Is the idea that I would then download and install this "dependency tracker", hoping it would give me a list of things I depend on, so that I could inform the end user? What's the use case?
It's for the end user who purchases a lot of things which include software components to understand the total set of software they're running and be able to ask questions about licensing, vulnerabilities, and establish policies.
A developer (or even administrator of a single computer system) is not the user of something like this, typically.
Here's an example:
A small manufacturing business may have a dozen different machines. Each one has a set of software to control it, running on a computer embedded in the machine. The business also has a website (developed by a contractor), a bunch of software packages purchased from different vendors for accounting, inventory, payroll and scheduling. They probably have some internal home-grown tools too.
1. A new remotely exploitable CVE is announced in a widely-used open source library. Is the company vulnerable to it? Anywhere?
If each one of the pieces of software was delivered with a SBOM along with the actual code, you can use tools like this to look at this globally. It starts to make more sense at the scale of "all the software in the business" is provided by tens to hundreds of different vendors or teams that not only don't communicate with each other but also don't even know that the others exist.
They could sign up for a CTI (Cyber Threat Intelligence) service with a security company. Basically, they send you notifications about CVEs and related stuff.
My client isn't exactly a "small manufacturing business", but they do subscribe to such a service, and they did have the Java issue in a parent process. They have a security guy who's the main one expected to look at these, but he's not the one operating anything directly, so he can't be expected to know every last random lib that's used.
So when the Log4j2 issue came up, for example, he was aware there was "a Java issue" but had no automated way of knowing which systems, if any, were affected.
Before the government SBOM standard that kicked all this off was finalized, I'd asked about this and related items such as reproducible builds. The response I got is that getting honest information out of vendors would be a huge step forward for end customers. Being able to validate that information would require a lot more work. Things like SLSA levels 3+4 (https://slsa.dev/spec/v0.1/levels) go further to prevent lying, at least in situations where all the code can be compiled by third parties.
The idea is you feed a tool like that all of your SBOMs, and all of the SBOMs from your vendors. Then it'll tell you "these four widgets in your hospital are vulnerable to a newly discovered vulnerability called 'Log4Shell', they need to upgrade Log4j to version 2.17.0"
There's a cottage industry forming to do this sort of thing, mostly in the medical field, but it'll probably spread out.
It's less about first-party software and more for third-party off-the-shelf stuff you might run. For first-party stuff SBOMs can definitely feel useless.
It's not really a security tool per-se, in that it isn't designed exclusively for security use. Its purpose is to concisely and completely communicate what software components make up a project/system. You can use that information for security/licensing/regulation compliance/etc.
The classic example is an MRI machine at a hospital. You hear about a bug in the Java Spring library that must be patched asap. You need to do a complete inventory of everything in the hospital running software to decide if it is vulnerable or not.
When you get to the MRI machine: what OS does it run? Is it using Java and the affected component? Is the component an affected version?
Asking the manufacturer for everything for every security vulnerability is not scalable and may not result in accurate answers. By giving the consumer more info they are more empowered to act and make intelligent decesions.