sbom.wiki
FOREST > CANOPY
THE CANOPY

sbom.wiki

The Field Guide to Software Supply Chains

What is an SBOM?

A Software Bill of Materials is a comprehensive inventory of every component, library, and dependency that makes up a piece of software. Think of it as the ingredient list for your application -- every package, every version, every license, laid bare for inspection.

Why SBOMs Matter

In a world where 90% of modern applications are built from open-source components, knowing what's inside your software is no longer optional. SBOMs enable vulnerability tracking, license compliance, and supply chain transparency at scale.

Who Uses SBOMs

From government agencies mandating transparency (Executive Order 14028) to enterprises managing risk across thousands of services, SBOMs serve developers, security teams, procurement officers, and auditors alike.

Dependency Trees

Every software project is a tree. The trunk is your application; the branches are direct dependencies; the roots spreading unseen underground are transitive dependencies -- sometimes hundreds deep.

my-app@1.0.0

Direct Dependencies

The packages you explicitly install -- your package.json, your requirements.txt, your Cargo.toml. You chose these. You're responsible for them.

express@4.18.2

Transitive Dependencies

The dependencies of your dependencies. You didn't choose them, but they ship with your software. A single npm install can pull in 1,000+ transitive packages.

lodash@4.17.21

Phantom Dependencies

Packages that your code uses but that aren't in your manifest -- resolved through hoisting or implicit peer dependencies. SBOMs catch what manifests miss.

debug@4.3.4

Vulnerabilities in the Supply Chain

Like parasites in an ecosystem, vulnerabilities spread through dependency chains. A single CVE in a deeply nested transitive dependency can compromise thousands of downstream projects -- as Log4Shell proved in December 2021.

CVE Tracking with SBOMs

When a vulnerability is disclosed, an SBOM lets you answer the critical question in minutes instead of weeks: "Are we affected?" Cross-reference your SBOM against CVE databases to instantly identify exposure.

CVE-2021-44228 -- Log4j <= 2.14.1

Software Composition Analysis

SCA tools consume SBOMs to continuously monitor your dependency graph for known vulnerabilities, license violations, and outdated components. The SBOM is the fuel; SCA is the engine.

SPDX

The Software Package Data Exchange format, maintained by the Linux Foundation, is an ISO/IEC 5962:2021 international standard. SPDX provides a common language for communicating software component information, including licenses, copyrights, and security references.

SPDX-License-Identifier: MIT

CycloneDX

An OWASP standard designed for application security contexts. CycloneDX excels at describing complex component relationships, vulnerability data, and service dependencies in a lightweight JSON or XML format optimized for automation.

"bomFormat": "CycloneDX"

SWID Tags

Software Identification Tags (ISO/IEC 19770-2) are XML-based markers attached to installed software. Originally designed for IT asset management, SWID tags provide authoritative identity information that complements SBOM formats.

<SoftwareIdentity name="example">

Built on Bedrock

SBOMs as Foundation