Software Bill of Materials (SBOM)
Definition
A structured, machine-readable inventory of the software components in a product or system. Captures component names, versions, licences, and dependency relationships. Standard formats include SPDX (ISO/IEC 5962:2021) and CycloneDX. US Executive Order 14028 (2021) mandated SBOMs for federal software suppliers.
Related terms
- Dependency confusion
- An attack technique in which an attacker publishes a public package with the same name as an organisation's internal private package at...
- NIST SP 800-161r1
- The US National Institute of Standards and Technology publication 'Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations' (Revision 1, 2022)....
- Software Composition Analysis (SCA)
- A category of security tooling that scans source code, build manifests, and container images to identify open-source and third-party components, match them...
- Transitive dependency
- A software library that an application does not import directly but is pulled in automatically because a direct dependency requires it. Transitive...
- Vendor due diligence
- The pre-procurement and ongoing process of assessing a supplier's security practices before and during a commercial relationship. In supply-chain risk management, due...
Explained in
- Supply-Chain Risk and Software DependenciesA structured, machine-readable inventory of the software components in a product or system. Captures component names, versions, licences, and dependency relati...