When organisations start with SBOMs, they focus almost exclusively on the code that ends up in the final product (the .jar, binary or container). But what if the tools you use to build that software are themselves compromised?
The Factory is the Target
Compile-time or build-time dependencies – think of compilers (GCC), build tools (Maven, Webpack), code generators (Lombok) and obfuscators – are traditionally skipped in the SBOM. Yet they have a fundamental impact:
- Code injection: A tool such as an "annotation processor" actively rewrites code during the build process. A bug or backdoor in that tool directly affects your application, long before it is packaged.
- The SolarWinds Lesson: This is exactly how the SolarWinds attack happened. The attackers infected the build system. While the source code looked perfectly safe, the malicious build pipeline secretly injected a backdoor into the freshly compiled software.
From reading to action
Curious how far your organisation is with the CRA? Test it in two minutes with the free Quickscan, or dive into the 4-week Survival Challenge.