The Cyber Resilience Act (CRA) is transforming how we approach software security, demanding not only safer code but proof that it remains secure throughout its lifecycle. At the core of this is the SBOM– a transparent inventory of all components inside an application, built to reveal hidden dependencies and vulnerabilities.
A growing ecosystem of open-source and cloud-based tools promises to generate these SBOMs and automatically map vulnerabilities. Yet in practice, these tools often produce conflicting results, inconsistent package lists, and mismatched vulnerability reports, especially when scanning complex container images.
In this talk, we dissect why SBOMs and vulnerability reports diverge across tools, uncover the technical roots of these discrepancies in containerized environments, and discuss how developers can ensure their tooling remains CRA-compliant. Finally, we explore how the ecosystem must evolve to deliver a transparent, trustworthy, and secure software supply chain.
