The Software Bill of Materials Encyclopedia
A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of software components and dependencies within a software product. It describes the supply chain relationships between components used in building software, providing transparency into the composition of code.
Software Package Data Exchange (SPDX) is an open standard maintained by the Linux Foundation for communicating SBOM information including component provenance, licensing, and security references. SPDX supports RDF, JSON, YAML, XML, and tag-value formats.
CycloneDX is a lightweight SBOM standard designed for use in application security contexts and supply chain component analysis. Originated from the OWASP community, it supports BOM types for software, hardware, services, and cryptographic assets.
Signed May 2021, this U.S. executive order on Improving the Nation's Cybersecurity mandated SBOM adoption for software sold to the federal government. It directed NTIA to publish minimum elements for SBOMs and catalyzed industry-wide adoption efforts.
SBOMs can be generated through build-time instrumentation, source code analysis, or binary analysis. Build-time generation captures the most accurate dependency information directly from package managers, compilers, and build systems during the software creation process.
SBOMs enable automated vulnerability tracking by mapping component identifiers (CPE, PURL) against vulnerability databases like the NVD. When a new CVE is published, organizations can instantly determine which products contain the affected component.
Modern software comprises 70-90% open source components. SBOMs bring transparency to complex dependency chains, enabling organizations to assess risk, ensure license compliance, and respond rapidly to incidents like Log4Shell that exploit transitive dependencies.
The NTIA defines baseline SBOM attributes: supplier name, component name, version, unique identifiers, dependency relationships, author of the SBOM, and timestamp. These minimum elements ensure interoperability across tools and organizations.
Popular SBOM generation tools include Syft, Trivy, cdxgen, and Microsoft SBOM Tool. These tools analyze package manifests, container images, and file systems to produce SBOMs in SPDX or CycloneDX formats, integrating into CI/CD pipelines.
Vulnerability Exploitability eXchange (VEX) documents complement SBOMs by communicating whether a product is affected by a specific vulnerability. VEX allows vendors to assert status: not affected, affected, fixed, or under investigation.
SBOMs enumerate the licenses of all included components, enabling legal teams to verify compliance with open source obligations. Automated license scanning cross-references SBOM data against organizational policies to flag copyleft or restrictive licenses.
SBOMs can be distributed alongside software releases, hosted in dedicated repositories, or exchanged through APIs. Standards like SBOM Exchange API and platforms like Dependency-Track facilitate automated ingestion, storage, and querying of SBOM data at scale.