SBOMs are a critical part to helping secure the software supply chain. Having a catalogue of libraries and components in an SBOM is obviously the key element of this, so that it can be queried by security tools to identify known vulnerabilities. So far so good.
I can’t help thinking that including a threat model in the SBOM would help to provide some additional context about the security decisions made by the vendor. What I mean is that as a software vendor, I choose my third party components and include them in my software. When I do that, I may make some security decisions such as including a library with a known vulnerability because I know that we don’t use that library in a way that exposes the vulnerability. A threat model would be a way for me to communicate this to readers of my SBOM.
What do the SBOMmers think of this? Has any work been done in the area of marrying threat modeling and SBOMs?