A complete record of every component your software is made of -- rendered transparent, like sunlight through water.
Where did this code come from? Provenance traces every component back to its source -- the author, the repository, the build pipeline that produced it.
Known weaknesses catalogued by CVE identifiers. An SBOM lets you instantly check whether any component in your software carries a known vulnerability.
Every component carries legal terms. MIT, Apache-2.0, GPL-3.0 -- each encodes a different philosophy of sharing and obligation.
The components your software relies on. Direct dependencies are the ones you chose. Transitive dependencies are the ones they chose -- a chain of trust extending into the deep.
Cryptographic hashes ensure that what you received is exactly what was published. No tampering. No substitution. The digital equivalent of an unbroken seal.
SBOMs follow standard formats -- SPDX and CycloneDX are the two dominant standards, each with their own structure and emphasis.
The two dominant SBOM standards each bring their own perspective to the problem of software transparency.
SPDX (Software Package Data Exchange) originated in the open-source licensing community. It excels at capturing license relationships and provenance metadata.
CycloneDX emerged from the security community. It prioritizes vulnerability tracking, component risk scoring, and integration with security tooling.
SBOMs do not exist in isolation. They are part of a growing ecosystem of supply chain transparency tools: VEX documents that communicate vulnerability exploitability, CSAF advisories that provide machine-readable security guidance, and provenance attestations that cryptographically verify build origins.
Together, these standards form a comprehensive language for understanding what software is made of, where it came from, and whether it can be trusted.
Software transparency is not a destination. It is a practice -- an ongoing commitment to understanding the hidden ecosystems within the code we build and depend upon.
sbom.wiki