As a means of enhancing the security of the software supply chain, vulnerability management using software bills of materials (SBOMs) is coming under the spotlight. Vulnerabilities in software can be detected by checking SBOMs against open vulnerability databases. Vulnerabilities that require early action must be automatically and appropriately identified and addressed from among the more than 50,000 vulnerabilities registered annually. In this report, we introduced a prioritization method based on decision tree analysis, in which information on susceptibility to attacks and damage caused by attacks are used in addition to the severity of vulnerabilities, and confirmed the effectiveness of the method.
