Software Bill of Materials (SBOM)
What is Software Bill of Materials (SBOM)?
Software Bill of Materials (SBOM)A formal, machine-readable inventory of the components, libraries, and dependencies that make up a piece of software, along with their versions and relationships.
An SBOM is to software what an ingredient list is to a packaged food. It enumerates open-source and proprietary components, transitive dependencies, versions, suppliers, licenses, and often cryptographic hashes. Common standards include CycloneDX, SPDX, and SWID. SBOMs enable vulnerability management (mapping CVEs and KEVs to deployed software), license compliance, incident response (rapidly answering "are we affected by Log4Shell?"), and procurement due diligence. Regulators - notably US Executive Order 14028, the EU Cyber Resilience Act, and ENISA guidance - increasingly require SBOMs for software supplied to government or critical-sector buyers. Modern programs generate SBOMs automatically in CI/CD and sign or attest them alongside builds.
● Examples
- 01
CycloneDX SBOM generated at every build and uploaded to a dependency-track instance.
- 02
SBOM exchange clause in a procurement contract for a regulated SaaS platform.
● Frequently asked questions
What is Software Bill of Materials (SBOM)?
A formal, machine-readable inventory of the components, libraries, and dependencies that make up a piece of software, along with their versions and relationships. It belongs to the Application Security category of cybersecurity.
What does Software Bill of Materials (SBOM) mean?
A formal, machine-readable inventory of the components, libraries, and dependencies that make up a piece of software, along with their versions and relationships.
How does Software Bill of Materials (SBOM) work?
An SBOM is to software what an ingredient list is to a packaged food. It enumerates open-source and proprietary components, transitive dependencies, versions, suppliers, licenses, and often cryptographic hashes. Common standards include CycloneDX, SPDX, and SWID. SBOMs enable vulnerability management (mapping CVEs and KEVs to deployed software), license compliance, incident response (rapidly answering "are we affected by Log4Shell?"), and procurement due diligence. Regulators - notably US Executive Order 14028, the EU Cyber Resilience Act, and ENISA guidance - increasingly require SBOMs for software supplied to government or critical-sector buyers. Modern programs generate SBOMs automatically in CI/CD and sign or attest them alongside builds.
How do you defend against Software Bill of Materials (SBOM)?
Defences for Software Bill of Materials (SBOM) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Software Bill of Materials (SBOM)?
Common alternative names include: SBOM.
● Related terms
- appsec№ 1069
Software Supply Chain Security
The discipline of protecting every link of the software production chain - source, dependencies, build, signing, distribution, and deployment - against tampering, malicious code, and integrity loss.
- appsec№ 245
Cryptographic Bill of Materials (CBOM)
An inventory that lists every cryptographic asset used by software or systems - algorithms, key lengths, certificates, libraries, and protocols - to support crypto agility and post-quantum readiness.
- appsec№ 1053
SLSA Framework
Supply-chain Levels for Software Artifacts: a tiered set of requirements published by OpenSSF that progressively hardens how software is built, signed, and verified against supply-chain tampering.
- appsec№ 870
Provenance Attestation
A signed, machine-verifiable statement that describes how a software artifact was produced - including source, build system, parameters, and dependencies - so consumers can trust its origin.
- appsec№ 971
SCA (Software Composition Analysis)
Automated analysis of an application's open-source and third-party components to identify known vulnerabilities, license issues and outdated or risky dependencies.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
● See also
- № 025AI Bill of Materials (AIBOM)
- № 522in-toto