Vulnerability discovery is one of the crucial aspects of software supply chain security. We want to know which of the components in our software projects are affected by certain vulnerabilities, are they exploitable and how severe exploits are.

Organizations take different approaches to this topic, from using commercial software scanners to embedding SSCS practices early in their development process and preventing the usage and release of vulnerable projects.

In this session we will look behind the scene of software vulnerability management. Where is all the data coming from? What are the formats in which data is exchanged? We will dig into the world of CVEs and VEXs (Vulnerability exchange) and show how efforts like the OSV (Open Source Vulnerability) database help us keep safe. We discuss some of the challenges of living in this multi-truth world.

In the end we will demo how project Trustify (https://github.com/trustification/trustify/) collects and analyses all this data, in order to provide up to date vulnerability information for your SBOMs.