The living encyclopedia of Software Bills of Materials
A formal, machine-readable inventory of software components and dependencies. Like a nutrition label for code — listing every ingredient that went into building your application.
SPDX 2.3 | CycloneDX 1.5The tree structure mapping how each component relies on others. Direct dependencies branch into transitive dependencies, forming ecosystems hundreds of layers deep.
depth: 0..n | nodes: 1..∞When a CVE is published, SBOMs let you instantly determine if your software contains the affected component. Response time drops from weeks to minutes.
CVE-2026-XXXX | CVSS 9.8Every component carries a license — MIT, Apache-2.0, GPL-3.0, proprietary. SBOMs surface these obligations before they become legal liabilities, turning compliance from audit into architecture.
MIT | Apache-2.0 | GPL-3.0Every application is an aquarium — hundreds of components swimming at different depths, each depending on currents of data flowing through the dependency tree.
Know your dependencies.
Map your ecosystem.
Understand what you ship.