A comprehensive framework for tracking all components, dependencies, and supply chain elements across the full product lifecycle -- from silicon to software to service.
A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of software components and dependencies, including their versions, licenses, and known vulnerabilities. Required by U.S. Executive Order 14028 (2021) for federal software procurement.
XBOM extends SBOM by encompassing hardware components (HBOM), firmware dependencies (FWBOM), AI model lineage (AIBOM), service and API dependencies (SvcBOM), and supply chain provenance data. It creates a unified transparency framework across all product layers.
XBOM recognizes six component classes: binary artifacts, source packages, hardware modules, firmware images, trained models, and service endpoints. Each class has standardized metadata fields and vulnerability tracking requirements.
Software Bill of Materials. Enumerates all software components, libraries, and dependencies in a product.
Format: SPDX, CycloneDXHardware Bill of Materials. Tracks physical components, chip vendors, and manufacturing origins.
Scope: PCB, SoC, ModuleAI Bill of Materials. Documents training data provenance, model architecture, and fine-tuning lineage.
Status: Emerging standardVulnerability Exploitability eXchange. Companion to SBOM indicating whether known vulnerabilities are exploitable in context.
Format: CSAF, CycloneDXService Bill of Materials. Enumerates API dependencies, cloud services, and third-party integrations.
Scope: API, SaaS, IaaSA machine-readable inventory listing all components within a software product, including open-source libraries, proprietary modules, and their transitive dependencies. SBOM generation can be performed at build time (source analysis) or post-build (binary analysis).
Standards: SPDX (ISO/IEC 5962:2021), CycloneDX (OWASP), SWID (ISO/IEC 19770-2)
A structured record of every physical component in a hardware product, from system-on-chip architectures to passive components. HBOM tracks manufacturer origin, part numbers, fabrication facilities, and component lifecycle status.
Key fields: MFR_ID, PART_NO, FAB_LOC, EOL_DATE
A companion document to SBOM that communicates whether a known vulnerability in a component is actually exploitable in the context of the specific product. VEX reduces alert fatigue by distinguishing between theoretical and practical risk.
Statuses: Not Affected, Affected, Fixed, Under Investigation
The documented origin and chain of custody for every component in a product. Provenance tracking enables organizations to verify that components have not been tampered with and that they originate from approved suppliers.
Mechanisms: in-toto attestations, SLSA framework, Sigstore signatures
An emerging standard for documenting AI/ML model components, including training dataset provenance, model architecture, hyperparameters, fine-tuning history, and evaluation metrics. Critical for AI governance and regulatory compliance.
Tracks: DATASET_SRC, MODEL_ARCH, TRAIN_PARAMS, EVAL_METRICS