Suspect propagation

An SBOM that’s only checked at import is a snapshot that goes stale. New vulnerabilities are disclosed every day, and the real value is reacting when one lands against a component you already ship. Suspect propagation is how TraceUnified does that.

Why a clean SBOM doesn’t stay clean

The components in your product don’t change, but the world’s knowledge about them does. A dependency that had no known issues at import can become the subject of a newly published CVE tomorrow. Without a mechanism to react, that new risk sits invisible until the next manual scan — exactly the gap that lets a known-vulnerable component ship.

Suspect, applied to the supply chain

TraceUnified uses the same suspect mechanism across the SBOM that it uses across the rest of the thread. When a new vulnerability is matched to a component already in your inventory, that component — and the work linked to it — is flagged suspect: a signal that something it depends on has changed and it needs to be looked at again. The flag is explicit and visible, not a silent status change.

Propagation along the thread

Because components are linked to the risks they pose and, through those, to requirements, tests, and releases, a new vulnerability doesn’t stop at the component. The suspect flag propagates to the connected work, so the requirement whose control depends on that component, and the release that includes it, are surfaced too. You see not just “this component now has a CVE,” but everywhere in your product that matters.

Acting on it

A suspect flag is a prompt to act: assess the new vulnerability, update or replace the component, re-verify the affected controls, and clear the flag once the work is sound again. The history of the flag and its resolution stays in the record — demonstrable evidence that your team responded to the disclosure rather than missing it. The general mechanics of suspect links and impact analysis are covered in Traceability.