D02 - Patch Management Strategy Suggestion #46
Description
Suggestion to include guidance on tracking the components in your base image, and your own bundled software, as part of D02.
There are tools like Anchore Syft that can generate a software bill of materials for container images. This information can be fed into tools like OWASP Dependency-Track for continuous analysis. And identification of vulnerable components.
It also helps address OWASP Top 10 A9:2017-Using Components with Known Vulnerabilities, and activities identified in the OWASP SCVS.