When One Product Has Three SBOMs: Lessons from Embedded Vulnerability Management

Modern embedded products are no longer single-processor devices. A typical architecture combines a Linux-based main system, one or more microcontrollers running RTOS workloads, and cloud-side processing also running on Linux. Each of these components produces its own SBOM - often using different formats, tooling, and levels of detail.

But what happens when you need to use all of them together for vulnerability management?

This talk shares a real-world journey of attempting to aggregate and analyse SBOMs across heterogeneous parts of an embedded product. We will walk through the practical challenges encountered: incompatible SBOM formats, ambiguous identifiers, conversion tools that fail in unexpected ways, and friction between ecosystem assumptions and embedded reality. The goal is to highlight what currently works, what does not, and what the community could improve to make multi-SBOM workflows feasible for embedded systems.

Attendees will leave with concrete insights, pitfalls to avoid, and a clearer picture of the current limits of SBOM-based vulnerability management in complex (but totally common) embedded architectures.