PATTERN Cited by 1 source

Vulnerability fleet-sweep via SBOM query

Intent

When a critical CVE lands in a widely-used library (Log4Shell, Spring4Shell, OpenSSL preannounced advisories), the remediation window is measured in hours, not days. The vulnerability fleet-sweep via SBOM query pattern turns this from a "who owns which app — let's ask around" fire drill into a three-step automated response:

1. Query the fleet SBOM corpus for all applications containing the vulnerable (library, version-range).
2. Generate change-sets per build-tool type (Maven POM bump, Gradle version-catalog update, npm lockfile rewrite, Go go.mod edit, etc.).
3. Open pull requests across every affected repository, track remediation progress centrally via a dashboard.

The pattern assumes the SBOM-as- queryable-data-lake-asset foundation is already in place — without a fleet-wide SBOM corpus, step 1 reverts to per-repo scanning which doesn't scale.

Canonical wiki instance (Zalando 2023-04-12)

Zalando names the pattern verbatim:

"For large-scale patch actions (like the famous log4j upgrade), we prepare change sets for different types of build files and automate the Pull Request creation across all repositories. This allows for central tracking of the patch progress and requires minimal support from the team for the deployment." (Source: sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game)

The supporting infrastructure at Zalando:

• SBOM corpus — container-scanned per deploy, in the data lake, SQL-queryable.
• Docker-image-metadata → team ownership — Zalando encodes the owning team in image metadata, so affected-app lookups resolve directly to a notification target.
• Build-tool-type detection — the change-set generator knows whether a given repo is Maven / Gradle / Go / npm, emits the right edit.
• Automated PR fan-out — the bot opens PRs across all identified repos, central dashboard tracks which have merged / been deployed / remain outstanding.

The pattern is motivated by two named forcing functions:

• log4j / Log4Shell (CVE-2021-44228, December 2021) — the defining mass-patch event for the post-2020 software industry.
• Other commonly-used library CVEs named in the post: "spring, commons-text" — the cluster of JVM libraries whose CVEs force fleet-wide response.
• Pre-announced advisories: "Some projects, like openssl, preannounce security updates allowing for more preparation time." Pre-announcement lets the change-set-generator be prepared before the CVE is live.

Why it works

• Cross-fleet visibility is the bottleneck, not the fix itself. Updating log4j-core from 2.14.0 to 2.17.0 is a one-line POM change. What's hard is knowing which apps need the change. SBOM query answers that in seconds; without the corpus, answering it takes engineer-weeks.
• Build-tool-specific change-sets amortise across repos. Write the Maven bump logic once, apply it to every Maven repo. The per-repo cost drops to the review + merge time of the auto-generated PR.
• Central tracking dashboards survive team rotation. A multi-week remediation window shouldn't require chasing individual engineers; the dashboard shows which repos remain outstanding and escalates automatically.
• Minimal team support. The post emphasises "requires minimal support from the team for the deployment" — the bot does the work, teams only review + merge.

Anti-patterns

• Per-repo security scanner without aggregation. Every repo gets its own alerts; no fleet visibility; every team scrambles separately. This is what most organisations had on 2021-12-09 when Log4Shell landed.
• Manual spreadsheet of which apps use which library. Accurate briefly, stale within weeks. Any post-discovery deployment can change the picture. The SBOM corpus makes the spreadsheet computed instead of maintained.
• Human-authored PRs across all affected repos. Works for tens of repos, doesn't scale to hundreds or thousands. The per-PR effort and review latency turn remediation from hours into weeks.
• Trust language-manifest scans alone. Miss anything transitively-bundled (fat-jar / shaded dep, vendored Go module, pre-built binary in a base image). The SBOM corpus's container-extraction shape (concepts/container-extracted-sbom) catches these; per-repo lockfile scans don't.

Success metric

The key metric is MTTR — mean time from CVE announcement to fleet-wide remediation. Without the pattern, Log4Shell took weeks to days at most large orgs. With it, hours is achievable (pending PR review latency + deployment cadence).

Zalando doesn't quote their Log4Shell MTTR; they describe the capability as "very low time it takes us to analyze the impact" but stop short of a quantified number.

Scope boundary

The pattern fixes which apps; it does not fix whether the app is actually exploitable on the affected code path. An app that bundles log4j-core but never calls any logging with user-controlled input on a JNDI-lookup-capable codepath is technically vulnerable (update anyway) but not exploitable. concepts/transitive-dependency-reachability at the per-binary altitude is the complement that answers the exploitability question — the SBOM answers presence, reachability analysis answers reachability.

Seen in

• sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game — canonical wiki instance. Zalando frames log4j + Akka license change + OpenSSL preannounced advisories as the forcing functions; the full stack (SBOM corpus + build-tool-specific change-set generation + auto-PR + central tracking dashboard) is the Zalando contribution.

Related

• patterns/sbom-as-queryable-data-lake-asset — the foundation layer this pattern depends on.
• concepts/sbom-software-bill-of-materials — the artifact.
• patterns/dependency-update-discipline — the per-repo update discipline this pattern automates at fleet scale.
• systems/dependabot — a related but less fleet-aware primitive for per-repo CVE patching.
• systems/log4j — the canonical forcing function.