Software Bill of Materials

Software composition analysis (SCA)

Software bill of materials (SBOM) is the list of components that conforms a given software.

SBOM management should be part of the software development lifecycle (SDLC).

SBOM may be compound by:

  • Custom code
  • Third-party commercial software
  • Third-party free and open source (FOSS) software

Uses of SBOM

We can use SBOM in the following scenarios:

  • If you are a software supplier or vendor, you should have an SBOM to identify possible vulnerabilities and report them to customers and regulators
  • If you are a software customer, you should require SBOMs to your software suppliers to ensure there are no vulnerabilities

SBOM Standards

SBOM standardes

  • SPDX
  • CycloneDX


SPDX is an open standard that provides a common format for companies and communities to share important SBOM data.

SPDX official website


CycloneDX official website

Legal Requirements for SBOM

European Union Cyber Resilience Act (CRA) requires a SBOM.

You can read more about CRA on this post.

SBOM Courses

The Linux Foundation offers some courses about SBOM:

SBOM Compliance

The executive order on improving USA cybersecurity of May 2021 requires that software provides a SBOM. You can read more about this on this external link.

You might also be interested in…

External References

Leave a Reply

Your email address will not be published. Required fields are marked *