Although we already maintain lots of valuable data about all of our systems, we're looking to better understand which software runtimes are in use, for example Node.js v18.18 or Python v3.6. This information will help us to ensure we remain up-to-date and as secure as we can be across the org.
For some resources understanding which runtimes are currently in use is straightforward; for example AWS Lambda is unambiguous and the information is an API call away, but for PaaS and containers it's proving more challenging.
Various tools are in use already which can report a software bill of materials (SBOM) - Trivy, Syft, Snyk, even GitHub - but whilst these can list dependencies installed by various package managers, none currently report the runtime/s when directed towards a code repository or Docker image.
So how do you track runtime versions across your organisations? Do you scan your code repositories for pom.xml files, or install agents in containers, or demand teams send reports at deploy time? I'd love to know!
I'd be also interested to know the state-of-the-art of SBOMs and tools thereto. Can someone write a summary article?