Exposing the hidden anatomy of software
A Software Bill of Materials is a formal, machine-readable inventory of all components, libraries, and dependencies that comprise a piece of software. Like a geological cross-section reveals the layered history of the earth, an SBOM reveals the layered construction of code — every stratum visible, every dependency traced to its origin.
package: openssl@3.1.4
license: Apache-2.0
supplier: OpenSSL Project
hash: sha256:a3f2c...
In 2021, the Log4Shell vulnerability demonstrated how a single dependency — buried three layers deep — could compromise millions of systems worldwide. Without an SBOM, organizations are blind to what's running inside their software. Transparency isn't optional; it's the bedrock of supply chain security.
Modern SBOM formats like SPDX and CycloneDX provide structured, interoperable descriptions of software composition. Executive Order 14028 mandates SBOM delivery for all software sold to the U.S. federal government — transforming transparency from best practice to legal requirement.
Every layer of software tells a story. Every dependency carries a history. Study the strata. Understand what you ship.
$ sbom generate --format spdx .