sbom.wiki

What Is an SBOM?

A Software Bill of Materials (SBOM) is a formal, machine-readable record of the components used in building a piece of software. Like a nutrition label for food, an SBOM provides transparency about what is inside the software you use, build, or purchase.

An SBOM typically includes component names, version numbers, suppliers, licenses, and dependency relationships. This information is critical for vulnerability management, license compliance, and supply chain security.

SBOM Formats

Two primary standards exist for expressing SBOMs:

SPDX

The Software Package Data Exchange format, maintained by the Linux Foundation. ISO/IEC 5962:2021 standardized. Strong focus on license compliance.

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0

CycloneDX

An OWASP standard designed for security contexts. Lightweight, supports VEX (Vulnerability Exploitability eXchange), and integrates with DevSecOps pipelines.

"bomFormat": "CycloneDX"
"specVersion": "1.5"

Component Types

SBOMs track several categories of software components:

Libraries: Reusable code packages imported via package managers (npm, pip, cargo).
Frameworks: Foundational platforms that applications are built upon.
Operating Systems: Base system software and kernel components.
Containers: Container images and their layered filesystem contents.
Firmware: Embedded software in hardware devices.

SBOM Tooling

A growing ecosystem of tools supports SBOM generation, analysis, and management:

SyftCLI tool for generating SBOMs from container images and filesystems.

GrypeVulnerability scanner that works directly with SBOM data.

SBOM ScorecardQuality assessment tool measuring SBOM completeness and accuracy.

Regulatory Landscape

Government mandates are accelerating SBOM adoption. The US Executive Order 14028 (2021) requires SBOMs for software sold to the federal government. The EU Cyber Resilience Act establishes similar requirements for the European market. SBOM is transitioning from best practice to legal requirement.