Re: log4j works as specified
"Exactly. None of the proposals mentioned in this article would have had any impact on it."
If by "it" you mean the security issues arising from the use of log4j, I would agree. The article, however, is noting one of the problems of rectifying an issue once it is found - namely that it is difficult to know whether and where the software of concern is in your build.
It is the post-event clean-up that the proposals seek to address by allowing corrective actions to be efficiently and effectively applied.
I think SJVN [author] is right to be cautious as to when a good SBOM might be realised. To my mind the challenge will not be for the "fair wind" case, but in establishing a robust solution that will satisfy security needs (e.g. prevent falsified SBOMs).
Biting the hand that feeds IT
