D02 - Patch Management Strategy Suggestion

[coderpatros]

Suggestion to include guidance on tracking the components in your base image, and your own bundled software, as part of D02.

There are tools like Anchore Syft that can generate a software bill of materials for container images. This information can be fed into tools like OWASP Dependency-Track for continuous analysis. And identification of vulnerable components.

It also helps address OWASP Top 10 A9:2017-Using Components with Known Vulnerabilities, and activities identified in the OWASP SCVS.