The anatomy of software, component by component
The foundation layer. Every library, framework, and module that comprises your software. Each component has a name, a version, a supplier, and a unique identifier. The SBOM begins here: knowing what you have.
The legal layer. Each component carries license obligations — MIT, Apache-2.0, GPL-3.0. Understanding your license landscape is understanding your legal exposure. One incompatible license can cascade through the entire dependency tree.
The risk layer. Cross-reference each component against known vulnerability databases. CVEs, severity scores, exploitability assessments. The SBOM transforms from an inventory into a risk map.
The relationship layer. Components do not exist in isolation. They depend on each other, forming trees and graphs of trust. A vulnerability deep in a transitive dependency can surface in your application.
The trust layer. Where did this software come from? Who built it? Can you verify the chain of custody from source to artifact? Provenance answers the question: can you trust this component?