Software Bill of Materials

From sbom.wiki, the free SBOM encyclopedia

Software Bill of Materials
Abbreviation	SBOM
Type	Software supply chain artifact
Primary standards	SPDX, CycloneDX, SWID
Governing bodies	NTIA, Linux Foundation, OWASP
Relevant regulation	EO 14028, EU CRA
First formalized	2018 (NTIA process)
Latest standard	SPDX 2.3 (2022), CycloneDX 1.6

A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of the components, libraries, and modules required to build a piece of software — along with their versions, licensing information, and supply chain relationships. Analogous to a bill of materials in manufacturing, an SBOM provides a transparency artifact that enables organizations to understand, manage, and communicate the software composition of their products.^[1]

SBOMs have emerged as a critical tool in software supply chain security, accelerated by high-profile vulnerabilities such as the SolarWinds attack and Log4Shell. Regulatory mandates, including US Executive Order 14028 and the EU Cyber Resilience Act, have made SBOMs a compliance requirement for software vendors supplying to government and regulated sectors.^[2]

Definition [edit]

The National Telecommunications and Information Administration (NTIA) defines an SBOM as a "formal record containing the details and supply chain relationships of various components used in building software."^[3] This definition encompasses three key attributes:

Completeness — the inventory should identify all third-party and open-source components, as well as transitive dependencies.
Machine-readability — SBOMs should be consumable by automated tooling, enabling integration into CI/CD pipelines and vulnerability scanning workflows.
Supply chain relationships — component provenance, including supplier, version, and licensing metadata, must be captured.

The NTIA identified a minimum viable SBOM consisting of seven data fields: supplier name, component name, version of the component, other unique identifiers, dependency relationship, author of the SBOM data, and timestamp.^[4]

1.1 Core Components [edit]

An SBOM typically records the following data for each software component:

Field	Description	Required (NTIA)
`Supplier`	Name of the entity that creates, defines, or identifies the component	Yes
`Component Name`	Designation of the unit within the supplier's naming convention	Yes
`Version`	Identifier used by the supplier, conforming to semver or supplier scheme	Yes
`Unique Identifier`	Other identifiers used to identify the component, such as CPE, PURL	Yes
`Dependency Relationship`	Characterizing the relationship that an upstream component X is included in software Y	Yes
`Author`	Name of the entity creating the SBOM data for this component	Yes
`Timestamp`	Record of the date and time the SBOM data was assembled	Yes

History [edit]

The concept of SBOMs evolved from practices in the software composition analysis (SCA) community, which had long advocated for component transparency in software supply chains.

2.1 NTIA Initiative (2018–2021) [edit]

In 2018, the NTIA launched a multistakeholder process on software transparency, convening government agencies, industry representatives, and academics to develop SBOM frameworks. The process produced a series of framing documents defining the minimum elements and use cases for SBOMs.

2.2 Executive Order 14028 (2021) [edit]

Following the SolarWinds supply chain attack and subsequent high-profile incidents, US President Biden signed Executive Order 14028 in May 2021, mandating that software vendors providing software to federal agencies must provide SBOMs. This represented the first national-level regulatory requirement for SBOMs.^[5]

2.3 EU Cyber Resilience Act (2022–2024) [edit]

The European Union's Cyber Resilience Act, proposed in 2022 and finalized in 2024, includes provisions requiring manufacturers of products with digital elements to maintain SBOMs and make them available to market surveillance authorities. This extended SBOM requirements beyond the US federal market to any vendor selling digital products in the EU.^[6]

Formats [edit]

Three primary SBOM formats are in widespread use. Each format targets different use cases and ecosystems, though interoperability between them is an active area of standardization.

All three formats capture the core SBOM data fields mandated by NTIA, but differ in their serialization formats, extensibility, and primary use cases. The Linux Foundation's OpenChain project and CISA have published guidance on format selection and interoperability.

Format	Governing Body	ISO Standard	Serializations	Primary Use
SPDX	Linux Foundation	ISO/IEC 5962:2021	TV, JSON, YAML, RDF, XML	License compliance, supply chain
CycloneDX	OWASP	—	XML, JSON, Protobuf	Security, vulnerability management
SWID	ISO/IEC JTC 1/SC 7	ISO/IEC 19770-2:2015	XML	Asset management, inventory

SPDX (Software Package Data Exchange) is an open standard developed within the Linux Foundation for communicating software bill of material information. Originally focused on license compliance, SPDX has expanded to cover security and dependency data. SPDX 2.3, released in 2022, added support for Package URL (PURL) identifiers and security-related fields.

SPDX became an ISO standard (ISO/IEC 5962:2021) in 2021, lending it additional credibility in regulated industries. An SPDX document is structured around packages, files, and snippets, with relationships defined between these elements.

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: example-sbom
DocumentNamespace: https://example.com/sbom/example-1.0

PackageName: example-lib
SPDXID: SPDXRef-Package
PackageVersion: 1.0.0
PackageDownloadLocation: https://github.com/example/lib
FilesAnalyzed: false
ExternalRef: SECURITY cpe23Type cpe:2.3:a:example:lib:1.0.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:npm/example-lib@1.0.0

CycloneDX is an OWASP project designed with a security-first perspective. It supports a broader range of artifact types beyond software packages, including containers, firmware, machine learning models, and entire systems. CycloneDX 1.5 introduced support for Bill of Vulnerabilities (BOV) and Vulnerability Disclosure Report (VDR) formats.

CycloneDX uses a component model where each component has a type attribute (library, framework, container, device, etc.) and supports rich metadata including evidence fields for documenting how component information was determined.

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "metadata": {
    "timestamp": "2024-01-15T12:00:00Z",
    "tools": [{"vendor": "Syft", "name": "syft", "version": "0.100.0"}]
  },
  "components": [{
    "type": "library",
    "name": "example-lib",
    "version": "1.0.0",
    "purl": "pkg:npm/example-lib@1.0.0",
    "licenses": [{"license": {"id": "MIT"}}]
  }]
}

SWID Tags (Software Identification Tags, ISO/IEC 19770-2) are an XML-based standard primarily designed for software asset management (SAM) and IT asset inventory scenarios. Unlike SPDX and CycloneDX, SWID tags are typically embedded in or distributed with software products, acting as digital labels.

SWID tags define three types: primary tags (installed software), patch tags (software patches), and corpus tags (software installation media). NIST SP 800-193 recommends using SWID tags for firmware component identification.

Regulations and Mandates [edit]

SBOM adoption has been significantly accelerated by government regulations, particularly in the United States and the European Union.

4.1 United States [edit]

Executive Order 14028 (Improving the Nation's Cybersecurity, May 2021) directed the National Institute of Standards and Technology (NIST) to issue guidance on software supply chain security, which explicitly included SBOMs as a required element. The Office of Management and Budget (OMB) subsequently issued memorandum M-22-18, requiring agencies to obtain SBOMs from software vendors.^[5]

The Cybersecurity and Infrastructure Security Agency (CISA) has published SBOM Sharing Lifecycle Reports and maintains the SBOM-a-Rama community forum to advance SBOM practices.

4.2 European Union [edit]

The EU Cyber Resilience Act (CRA, Regulation 2024/2847) requires manufacturers of products with digital elements to maintain SBOMs and provide them to market surveillance authorities upon request. The CRA applies to any product with digital elements placed on the EU market, regardless of where it is manufactured.^[6]

Use Cases [edit]

The NTIA identified several primary use cases for SBOMs, which define the requirements and workflows that SBOM tooling must support.

When a new vulnerability (CVE) is disclosed, organizations with SBOMs can immediately query their inventory to determine which products contain the affected component and version. This reduces the mean time to identify (MTTI) affected systems from days or weeks to minutes.

SBOM-driven vulnerability management integrates with NVD and other vulnerability databases via component identifiers such as CPE (Common Platform Enumeration) and PURL (Package URL).

Open-source license compliance requires organizations to fulfill the obligations of every license governing each component in their software. SBOMs provide the inventory necessary to identify all applicable licenses and generate compliance artifacts (notices files, source distribution, etc.).

During a security incident, SBOMs accelerate forensic analysis by providing a precise inventory of what was running at a given time. Version-pinned SBOMs enable comparison of pre- and post-incident states to identify unauthorized modifications.

Procurement teams can use SBOMs to evaluate the risk profile of third-party software before purchase or integration. Analysis of the SBOM identifies known-vulnerable components, license obligations, and supply chain depth.

Tools and Ecosystem [edit]

A broad ecosystem of open-source and commercial tools supports SBOM generation, analysis, and distribution.

6.1 Generation Tools [edit]

Syft — Anchore's open-source SBOM generator supporting container images, filesystems, and packages. Outputs SPDX and CycloneDX.
cdxgen — OWASP's CycloneDX generator supporting 20+ languages and package managers.
SPDX Tools — Reference implementation tooling from the Linux Foundation for creating and validating SPDX documents.
Trivy — Aqua Security's scanner that generates SBOMs alongside vulnerability reports.
Microsoft SBOM Tool — Microsoft's open-source SBOM generation tool integrated with Azure DevOps.

6.2 Analysis and Consumption [edit]

Grype — Anchore's vulnerability scanner that consumes SBOMs to identify known vulnerabilities.
GUAC (Graph for Understanding Artifact Composition) — Google/OpenSSF project for aggregating and querying software supply chain metadata.
Dependency-Track — OWASP's continuous component analysis platform for consuming and monitoring SBOMs.

References [edit]

^{^} NTIA, Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM), 2019.
^{^} CISA, Software Bill of Materials (SBOM), 2023. cisa.gov
^{^} NTIA, The Minimum Elements For a Software Bill of Materials (SBOM), July 2021.
^{^} ibid., Section 2: Baseline SBOM Attributes.
^{^} White House, Executive Order on Improving the Nation's Cybersecurity, EO 14028, May 12, 2021.
^{^} European Parliament, Regulation (EU) 2024/2847 of the European Parliament and of the Council (Cyber Resilience Act), October 2024.