What Is an SBOM (Software Bill of Materials)?
A software bill of materials (SBOM) is a formal, machine-readable list of every component, library, and dependency contained in a software artifact, along with versions and relationships. Common formats include SPDX and CycloneDX. SBOMs let teams quickly answer "are we affected?" when a new vulnerability is disclosed.
Why it matters
When a vulnerability like Log4Shell appears, the first question is which builds include the affected component. Without an SBOM that answer takes days of manual auditing. Generating an SBOM during CI makes the inventory authoritative and instantly queryable.
Related concepts
- SPDX and CycloneDX are standard SBOM formats
- Transitive dependencies must be included, not just direct ones
- Pairs with provenance to describe both contents and origin
Related guides
What Is a Transitive Dependency?A transitive dependency is one you do not require directly but pull in indirectly because a dependency of you…
What Is Build Provenance?Build provenance is signed metadata describing how an artifact was built, including its source, inputs, and b…
What Is a Software Supply Chain Attack?A supply chain attack compromises software by tampering with a dependency, build system, or distribution chan…