lodash@4.17.21 MIT
openssl@3.0.2 Apache-2.0
log4j@2.17.1 Apache-2.0
react@18.2.0 MIT
zlib@1.2.13 Zlib
express@4.18.2 MIT

sbom.study

What's really inside the software you trust?

my-app@1.0.0 express@4.18.2 react@18.2.0 webpack@5.88.0 body-parser@1.20 cookie@0.5.0 scheduler@0.23 react-dom@18.2 terser@5.19.0 acorn@8.10.0 bytes@3.1.2 raw-body@2.5.1 source-map@0.8 commander@2.20

The Invisible Stack

Every modern application is an iceberg. The code you write sits above the waterline — a thin layer atop hundreds, sometimes thousands, of transitive dependencies you never directly chose. Libraries depend on libraries that depend on libraries. Your "simple" web server pulls in 847 packages. Each one is a decision someone else made, a supply chain you inherited.

Supplier Apache Foundation
Component log4j-core
Version 2.17.1
Hash (SHA-256) 3fa2cb...5434
License Apache-2.0

Reading the Manifest

An SBOM is a structured inventory — a machine-readable file that catalogs every component in a piece of software. Think of it as a nutrition label for code.

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "components": [
    {
      "type": "library",
      "name": "log4j-core",
      "version": "2.17.1",
      "supplier": {
        "name": "Apache Software Foundation"
      },
      "hashes": [{
        "alg": "SHA-256",
        "content": "3fa2cb543454..."
      }],
      "licenses": [{
        "id": "Apache-2.0"
      }]
    }
  ]
}
production-app auth-service@2.1 static-ui@1.0.3 jwt-lib@3.4.0 session@1.2.0 crypto-rng@0.9 CVE-2024-1234

The Vulnerability Chain

A single compromised dependency doesn't stay contained. Like a crack propagating through glass, a vulnerability in crypto-rng@0.9 flows upward — through jwt-lib, through auth-service, until your entire production application inherits the risk. The SBOM makes this chain visible before it becomes an incident.

lodash@4.17.21
openssl@3.0.2
log4j@2.17.1
react@18.2.0
zlib@1.2.13
express@4.18.2

Every component has a story.
An SBOM tells it.