In the case of something like xzutils, you would perhaps have listed it as low risk, as it's shipped with your OS. After the backdoor incident, you'd have adjusted the risk assessment, and utilities like it. Once you hit a certain level you might question if you truly need the entire xzutils package or if you could replace it.
In other cases you might have a library you depend on, but it's no longer maintained, so it might score really high on risk, meaning that you should probably address that dependency in your next development cycle.
So the SBOM and risk assessment wouldn't necessarily catch vulnerabilities, but it makes it simple to check if you're affect and generally help you manage/reduce your attack surface.
In other cases you might have a library you depend on, but it's no longer maintained, so it might score really high on risk, meaning that you should probably address that dependency in your next development cycle.
So the SBOM and risk assessment wouldn't necessarily catch vulnerabilities, but it makes it simple to check if you're affect and generally help you manage/reduce your attack surface.