SBOM (Software Bill of Materials)
An SBOM (Software Bill of Materials) is a detailed list of all the components that make up a piece of software, similar to how a food label lists all the ingredients in a packaged product.
Key Points:
-
SBOM stands for: Software Bill of Materials.
-
It includes:
-
Open-source libraries
-
Third-party components
-
Dependencies and sub-dependencies
-
Version numbers
-
Licenses
-
Component relationships
Why It's Important:
-
Security: Helps identify vulnerabilities (e.g., Log4j) in components.
-
Compliance: Ensures you're following license requirements.
-
Transparency: Promotes better software supply chain management.
-
Risk Management: Aids in assessing software integrity and exposure.
Who Uses SBOMs?
-
Software developers
-
Security teams
-
Risk and compliance professionals
-
Vendors and customers in regulated industries
Standards:
Common formats include:
-
CycloneDX
-
SPDX
-
SWID
Sample
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"version": 1,
"metadata": {
"timestamp": "2025-05-03T12:00:00Z",
"tools": [
{
"vendor": "CycloneDX",
"name": "cyclonedx-cli",
"version": "0.24.2"
}
],
"component": {
"type": "application",
"name": "my-sample-app",
"version": "1.0.0",
"hashes": [
{
"alg": "SHA-256",
"content": "d3b07384d113edec49eaa6238ad5ff00"
}
]
}
},
"components": [
{
"type": "library",
"name": "example-lib",
"version": "2.1.3",
"purl": "pkg:npm/example-lib@2.1.3",
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"hashes": [
{
"alg": "SHA-1",
"content": "9c1185a5c5e9fc54612808977ee8f548b2258d31"
}
]
}
]
}
"bomFormat": Specifies this is a CycloneDX BOM.
"metadata": Info about the tool and primary application.
"components": The list of dependent software components (e.g., libraries).
"hashes" and "purl": Used for verifying integrity and uniquely identifying packages.
"licenses": Helps ensure legal compliance.
