SBOM

The complete reference for Software Bill of Materials

Standard Security Compliance Tools

Overview

A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. It is a machine-readable document that provides transparency into the software supply chain.

SBOMs have become a critical component of software security practices, enabling organizations to track dependencies, identify vulnerabilities, and ensure license compliance across their software portfolio.

Application Lib A v2.1 Lib B v1.4 Lib C v3.0 Dep D v0.9

Formats

Standard ISO/IEC 5962:2021

SPDX

Software Package Data Exchange. A Linux Foundation project and ISO standard for communicating SBOM information including components, licenses, copyrights, and security references.

JSON, XML, RDF, YAML
Security OWASP

CycloneDX

A lightweight SBOM standard designed for security contexts. Includes capabilities for vulnerability disclosure, services, and formulation data.

JSON, XML, Protocol Buffers
Tools Microsoft

SWID Tags

Software Identification Tags. An ISO/IEC 19770-2 standard primarily used for software asset management and identification at the installation level.

XML
Supplier Name Required
Component Name Required
Version String Required
Unique Identifier Required
Dependency Relationship Recommended
Hash / Checksum Recommended

Minimum Elements

The NTIA defines minimum elements that an SBOM must contain to be useful. These baseline data fields ensure interoperability and provide a foundation for vulnerability management and license compliance.

Tools & Generation

Build-time

Syft

CLI tool and library for generating SBOMs from container images and filesystems.

Analysis

Grype

Vulnerability scanner for container images and filesystems, works with Syft SBOMs.

Build-time

Trivy

Comprehensive security scanner that generates SBOMs and finds vulnerabilities, misconfigurations.

Standard

SPDX Tools

Official tooling for creating, validating, and converting SPDX documents.

Glossary

SBOM
Software Bill of Materials -- a machine-readable inventory of software components.
SCA
Software Composition Analysis -- automated process of identifying open-source components.
CVE
Common Vulnerabilities and Exposures -- standardized identifiers for security vulnerabilities.
PURL
Package URL -- a standardized scheme for identifying software packages.
NTIA
National Telecommunications and Information Administration -- defined minimum SBOM elements.
VEX
Vulnerability Exploitability Exchange -- a document to communicate vulnerability impact.