sbom.study

What Is an SBOM?

A Software Bill of Materials is the manifest of everything a piece of software is made from. It is, in its simplest description, a list. But what a list it is. Every library you imported, every transitive dependency those libraries quietly carried with them, every version number pinned or floating, every license governing what you may and may not do with the code someone else wrote and gave to the world.

Think of it as the ingredient label on the back of every application you have ever used. Except this ingredient label runs thousands of lines long, references components maintained by strangers on different continents, and changes every time someone somewhere pushes an update to a package you never knew you depended on.

The SBOM makes visible what was always there but never seen. It turns the implicit into the explicit, the assumed into the documented. In doing so, it reveals the extraordinary web of trust that underpins every piece of modern software — a web as intricate and fragile as any garden ecosystem.

lodash

v4.17.21MIT

A modern JavaScript utility library delivering modularity, performance, and extras.

openssl

v3.1.4Apache-2.0

Cryptography and SSL/TLS toolkit. The quiet guardian at the gate of every encrypted connection.

zlib

v1.3.1Zlib

A compression library. Invisible, ubiquitous, and older than most developers using it.

The Dependency Garden

my-appv2.1.0

reactv18.2.0

expressv4.18.2

pgv8.11.3

schedulerv0.23.0

react-domv18.2.0

body-parserv1.20.2

pg-poolv3.6.1

pg-protocolv1.6.0

We build our cathedrals on foundations we have never inspected, maintained by people we have never met, governed by licenses we have never read.

The average modern application carries hundreds, sometimes thousands, of dependencies. Each dependency is a relationship of trust. Trust that the maintainer will continue to care. Trust that the code does what it claims. Trust that no one has slipped something malicious into the supply chain while we were sleeping.

In 2021, the Log4Shell vulnerability revealed that a single transitive dependency could compromise systems across the entire internet. Most organizations did not even know they were running Log4j.

An SBOM would have told them. Not because it prevents vulnerabilities, but because it makes the invisible visible. It is the act of looking — truly looking — at what your software is made of. And in that looking, there is both humility and power.

The Executive Order on Improving the Nation's Cybersecurity (2021) now requires SBOMs for software sold to the federal government. The garden is being mapped.