Security

Software Bill of Materials (SBOM)

A comprehensive inventory of all components, libraries, and dependencies used in a software application, enabling transparency and vulnerability management.

Also known as:SBOMBill of Materials

What is a Software Bill of Materials?

A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of software components and dependencies in a codebase. Like a bill of materials in manufacturing, it provides transparency into what's inside software, enabling better security and compliance management.

SBOM Contents

Component Information

  • Component name
  • Version
  • Supplier/author
  • Unique identifiers (CPE, PURL)

Relationship Data

  • Dependency relationships
  • Included components
  • Build dependencies

Metadata

  • License information
  • Hash values
  • Source repository

SBOM Formats

SPDX

  • Linux Foundation standard
  • Broad adoption
  • Supports multiple use cases

CycloneDX

  • OWASP standard
  • Security-focused
  • Lightweight format

SWID

  • ISO standard
  • Software identification
  • Mature specification

Use Cases

Vulnerability Management Track known vulnerabilities in components.

License Compliance Identify license obligations.

Supply Chain Security Verify component provenance.

Incident Response Quickly identify affected software.

Generating SBOMs

Build-Time

  • Syft
  • Trivy
  • CycloneDX plugins

Source Analysis

  • Dependency-Track
  • FOSSA
  • Snyk

Regulatory Requirements

  • US Executive Order 14028
  • FDA guidance (medical devices)
  • NTIA minimum elements
  • EU Cyber Resilience Act
Previous

SOC 2

Next

Static Application Security Testing (SAST)