When people think about Supply Chain security, they generally think of SBOM and vulnerabilities in your direct and transitive dependencies.<p>But most people are completely blind of vulnerabilities in the Build Pipeline of those same dependencies. The SLSA framework considers those <a href="https://slsa.dev/spec/v0.1/threats#build-integrity-threats" rel="nofollow">https://slsa.dev/spec/v0.1/threats#build-integrity-threats</a> to some extent. And OpenSSF aficionados know, but it's still niche.<p>I like to think of those as a parallel universe! An orthogonal plane of vulnerabilities that are beneath the surface and completely independent of vulnerabilities into the source code of the project itself. Basically never tracked as CVEs... Those can be nested deep, deep, in a transitive build dependency 5 levels down.