There was some chatter on Twitter about this but it looks like part of the National Defense Authorization Act requires no known CVEs in any item within the SBOM:
(1) A certification that each item listed on the submitted bill of materials is free from all known vulnerabilities or defects affecting the security of the end product or service identified in--
(A) the National Institute of Standards and Technology National Vulnerability Database; and
(B) any database designated by the Under Secretary, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, that tracks security vulnerabilities and defects in open source or third-party developed software.
1 comment
[ 3.5 ms ] story [ 14.7 ms ] thread