SBOM - Software Bill of Materials

Software Bill Of Materials (SBOM) answers the fundamental security questions an organization has “Am I affected?” and “Where am I affected?”. In a world of software with complex library dependency graphs knowing answers to these questions enable organizations to understand if they are vulnerable.

What is SBOM ?

SBOM is a machine readable inventory of software components, dependencies, information about the components. VEX (Vulnerability Exploitability eXchange) is a related concept to SBOM. A VEX document is an attestation, a form of security advisory that indicates whether a product or products are affected by vulnerability.

Source: https://www.ntia.gov/sites/default/files/publications/sbom_at_a_glance_apr2021_0.pdf

References

• SPDX: https://spdx.dev/
• SPDX Specification: https://spdx.github.io/spdx-spec/v2.3/
• SPDX Tools: https://spdx.dev/use/tools/
• CycloneDX: https://cyclonedx.org/
• CycloneDX Tool Center: https://cyclonedx.org/tool-center/

---