Published: Last updated:

SBOM (Software Bill of Materials)

An SBOM (Software Bill of Materials) is a machine-readable inventory of all components, libraries, and dependencies of a software system, including their versions and licences. It is the foundation of supply chain security: only those who know what is in their software can systematically remediate known vulnerabilities (CVEs).

Without an SBOM, the attack surface is unknown. The Log4Shell incident in 2021 painfully showed many organisations how many of their systems contained a particular library without anyone knowing.

What an SBOM Contains

  • Components: All direct and transitive dependencies (libraries, frameworks, packages).
  • Versions: Exact version numbers for vulnerability matching.
  • Licences: SPDX licence identifiers for compliance checks.
  • Provenance: Where does a component come from? Which source repository does it correspond to?
  • Hashes: Cryptographic checksums for integrity verification.

Formats and Standards

  • SPDX: ISO/IEC 5962, the standardised format for SBOMs. spdx.dev
  • CycloneDX: Widely used, security-oriented format. cyclonedx.org
  • SWID Tags: Microsoft standard, prevalent in enterprise environments.

Generation and Integration

  1. Build-Time Generation: Tools such as Syft, cdxgen, or Trivy automatically generate SBOMs within the CI/CD process.
  2. Dependency Tracking: The SBOM is updated at every build and stored in the artefact repository.
  3. Vulnerability Scanning: The SBOM is matched against CVE databases (NVD, OSV).
  4. Licence Compliance: Automated checking for licence conflicts (e.g. GPL in proprietary projects).

Focus: Reactivity on Zero-Days

When a new critical vulnerability becomes known, the SBOM can answer within minutes which systems are affected.

Reference Guide