Don't just give me a list; Tell me which ones can be reached and targeted.

## What is an SBOM?

It is the most important data point about the safety and functionality of an application or a service. A precise and detailed SBOM is a verifiable statement that the person or the tool has checked every single component and knows exactly where, when, and how they are used. And if there is ever an attack based on a known vulnerability, an SBOM would come in handy to identify all the affected applications and services to defend and secure.

The question we asked ourselves at the beginning of this year is this - can we identify the components of an application that are more likely to be reached and targeted by adversaries at the point of generating an SBOM so that the defenders have a headstart?

"Can we identify and mark these "Reachable components" in the SBOM itself?"

## Identifying Reachable component

Identifying reachable components in an application or a service is quite easy. We need a list of all paths an attacker is likely to take from the various entry points (sources) to the exit points (sinks) in the application. There are two fundamental techniques to generate this list -

1. Static analysis - Have a large database of grep statements, rules, policies, and annotations. Run the queries and scripts to generate this list.

2. Dynamic analysis - Execute the application or service with an agent and capture the stacks and flows over time. Match the collected symbols against the source SBOM to determine the components.

While there are pros and cons with these techniques, they are unusable as-is for a tool like cdxgen that can neither access a database nor instrument the application at runtime.

So, how can you build a tool to identify reachable flows for multiple languages with no database, rules, policies, or annotations?

## Announcing cdxgen 9.9.0

It gives us great pleasure to announce the release of cdxgen 9.9.0 with several improvements and features, notably the improved evinse mode. Powered by atom, evinse can now identify reachable components for Java, JavaScript, and TypeScript applications. The information is available for downstream SCA and ASPM tools to prioritize the application vulnerabilities better and cut down false positives.

## Jugaad Innovation

When our team got together early this year to discuss reachability detection, the state-of-the-art technique was to use an AI/ML model to annotate libraries and build the knowledge graph. From the beginning, we agreed on the constraints that our implementation should work on the CLI in any CI/CD environment without the need for any database, rules, or policies. Solving this required a Jugaad Innovation in the field of program analysis. We invented a simplistic symbols tagger, flow analyzer, and static slicer to compute reachable flows. We tuned and refined our implementation for several months to make it work out-of-the-box for any arbitrary application, library, or service.

Thanks to the wonderful OWASP community, the feature was alpha and beta-tested against a number of real-world applications prior to the release.

We're confident that our implementation would beat existing implementations, both open source and commercial, in precision and performance.

## What about pricing?

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Your gifts and donations are how we fund our activities to make the world safer.

If you agree that our team deserves funding to continue our work, use the link below to make an appropriate donation (based on the time saved and productivity added) and then proceed with trying cdxgen 9.9.0.

https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX