What Is an SBOM?
A Software Bill of Materials is a formal, machine-readable inventory of all components, libraries, and dependencies that make up a piece of software. Think of it as an ingredient label for code.
"name": "my-app", "version": "1.0.0",
"components": [{ "type": "library", ... }]
Why Does It Matter?
Modern software is 80-90% open-source components. Without an SBOM, you cannot know your exposure to vulnerabilities. The Log4Shell crisis proved that most organizations had no idea where Log4j lived in their stack.
SBOM Formats
Two dominant formats have emerged for expressing SBOMs in machine-readable form.
SPDX
Linux Foundation standard. ISO/IEC 5962:2021. Focus on license compliance.
CycloneDX
OWASP standard. Lightweight, security-focused. Supports VEX attestations.
Building Daily Practice
SBOM generation should be automated into every build pipeline. Continuous monitoring turns a static document into a living security practice. Start studying, start building transparency.