sbom vulnerability