In addition to SBOM, VEX and VDR, there are other types of attestations that can provide additional insight and trust regarding software origin and security.
One example is SLSA (Supply chain Levels for Software Artifacts)1, which among other things focuses on "Package provenance" – that is, where and how a package or dependency has been built, and by whom.
This makes it possible to trace and verify a software component's origin through the supply chain.
How can they be used together?
By combining information from SBOM (which components are included), VEX (whether a vulnerability can actually be exploited), VDR (how vulnerabilities are reported and handled) and SLSA (traceability in the build process itself), you get a comprehensive picture of both content and origin.
Each attestation contributes its unique piece of the puzzle, allowing you to:
- Identify all components and their versions (SBOM)
- Assess the actual exploitability of vulnerabilities (VEX)
- Track how vulnerabilities are disclosed and handled (VDR)
- Verify the integrity and origin of the build process (SLSA)
SLSA in Practice
SLSA provides a framework with different maturity levels (1-4) that help organizations gradually improve their supply chain security. The higher the level, the more stringent the requirements for build integrity, provenance, and security.
This creates a standardized way to communicate and verify the trustworthiness of software artifacts throughout the supply chain.