Open Study Platform

sbom.study

Master the Software Bill of Materials. From concept to compliance, one chapter at a time.

Begin Studying

SBOM by the Numbers

0Executive OrderUS cybersecurity mandate requiring SBOMs
0%Open Source UsageOf codebases contain open source components
0+Dependencies AvgAverage dependencies per modern application
0xFaster ResponseVulnerability remediation with SBOMs

Study Chapters

01

What is an SBOM?

Understanding the Software Bill of Materials — a formal, machine-readable inventory of software components and dependencies.

DefinitionHistoryAnalogy
02

SBOM Formats

Deep dive into CycloneDX, SPDX, and SWID tags — the three primary formats for expressing software composition.

CycloneDXSPDXSWID
03

Generation Tools

Hands-on with Syft, Trivy, and other tools that automatically generate SBOMs from your source code and container images.

SyftTrivyCI/CD
04

Vulnerability Management

Using SBOMs to identify, track, and remediate vulnerabilities across your software supply chain with VEX statements.

CVEVEXScanning
05

Compliance and Policy

Navigate EO 14028, EU Cyber Resilience Act, and FDA requirements — understanding regulatory SBOM mandates.

EO 14028CRAFDA
06

Supply Chain Security

From SolarWinds to Log4Shell — how SBOMs strengthen the software supply chain and enable rapid incident response.

SLSASigstoreAttestation

Quick Reference

SPDX

Linux Foundation standard. ISO/IEC 5962:2021. Focuses on licensing and compliance data with rich metadata support.

CycloneDX

OWASP standard. Purpose-built for security analysis. Supports components, services, vulnerabilities, and VEX data.

SWID Tags

ISO/IEC 19770-2. Software identification tags. Best for installed software tracking and enterprise asset management.