Anatomy of a Software Bill of Materials
What lies beneath
your software?
Every dependency tells a story. An SBOM is the complete inventory of every component, library, and module that makes up your software — a forensic map of the supply chain.
The surface data of an SBOM — the header fields that identify what you are looking at, like the label on a core sample jar.
How deep does it go? Each block is a package in the dependency tree — direct dependencies near the surface, transitive dependencies descending into the deep.
What are the rules? Each license type carries obligations. Flip a card to understand what it means for your supply chain.
Permissive. You can use, modify, and distribute freely. Only requirement: include the original copyright notice and license text. Minimal risk for commercial use.
Permissive with patent grant. Includes an explicit patent license from contributors. Requires preservation of copyright, license, and NOTICE file. Safe for enterprise.
Copyleft. Any derivative work must also be licensed under GPL. Source code must be made available. High compliance risk for proprietary software. Requires legal review.
Permissive. Similar to MIT but with a non-endorsement clause — you cannot use the original author's name to promote derived products without permission. Low risk.
No license declared. This is the highest risk category. Without an explicit license, default copyright applies — you have no permission to use, modify, or distribute. Investigate immediately.
What lurks beneath? The deepest layer of the SBOM maps known vulnerabilities to their severity. The deeper you go, the more critical the findings.