TLDR:
A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of all software components, libraries, and dependencies used to build a software product—including third-party open source components, their versions, and licenses. SBOMs are foundational for supply chain security, vulnerability management, and license compliance.
Why SBOMs Matter
Modern software is built from extensive open source dependencies—a typical application includes hundreds or thousands of third-party libraries. When a vulnerability emerges in a widely-used component (Log4Shell in late 2021 affected millions of applications), organizations need to rapidly identify which products are affected. Without SBOMs, this analysis takes days or weeks; with SBOMs, it can be done in minutes. SBOMs also enable license compliance verification—identifying GPL-licensed code that may impose unintended obligations.
Formats and Standards
Two major SBOM formats dominate: SPDX (Software Package Data Exchange, ISO/IEC 5962:2021, supported by Linux Foundation) and CycloneDX (developed by OWASP, with rich vulnerability tracking). Both are machine-readable (JSON, XML, etc.) and support automated tooling. Generation can be done at multiple points: source-level (analyzing source code dependencies), build-time (capturing what’s actually included in builds), and binary-level (analyzing compiled artifacts). Each provides different fidelity.
Regulatory and Customer Requirements
SBOM requirements have rapidly proliferated: the US Executive Order 14028 (May 2021) requires SBOMs for federal software vendors; the EU Cyber Resilience Act mandates SBOMs for products with digital elements (entry into force from December 2027); FDA requires SBOMs for medical devices; major enterprises increasingly require SBOMs in procurement. Generation tooling includes Syft, Trivy, Anchore, and platform-specific tools (npm, Maven, pip generate native dependency manifests that can be transformed into SBOMs). For startups, building SBOM generation into CI/CD pipelines early is much easier than retrofitting—and customers increasingly expect SBOMs as part of security questionnaires.