Supplier SBOM Submission Guide
An SBOM generation and submission guide for partner companies that supply software to SK Telecom.
To strengthen the transparency and security of its software supply chain, SK Telecom asks suppliers to submit an SBOM (Software Bill of Materials) for all software components and dependencies they deliver. This guide explains how suppliers can generate and submit an SBOM in a format that meets SK Telecom’s security policy.
Scope of Application
All suppliers (including developers and resellers) that deliver the following types of software are subject to these guidelines.
- Source code: Applications written in Java, Python, JavaScript, Go, C/C++, etc.
- Container images: Docker images or OCI-compliant containers
- Executables: Compiled binaries (.jar, .dll, .so) and libraries
- Embedded systems: Firmware images, RootFS, device drivers
SBOM Submission Process
We ask suppliers to follow the procedure below, from the time of contract through final delivery.
flowchart TD
A[Contract Review] --> B["Software Development/Build"]
B --> C{Generate SBOM}
C -->|Use SKT-provided tool| D[Use SKT SBOM Generator]
C -->|Use your own tool| E["Use open source tools<br>(cdxgen, Syft, etc.)"]
D --> F["Data Validation (PURL Check)"]
E --> F
F --> G["Submit SBOM (Email/Portal)"]
G --> H[SKT Security Review]
H -->|Approved| I[Delivery Complete]
H -->|Rejected| J[Remediate and Resubmit]
J --> FGuide Structure
This section is organized as follows.
- Submission Requirements: Defines the required formats (CycloneDX, SPDX) and data fields that SK Telecom requires.
- SKT SBOM Generator: Explains how to use SK Telecom’s SBOM generation tool.
- Using Open Source Tools: Explains how to generate an SBOM using general-purpose open source tools (cdxgen, Syft, etc.).
- Validation Checklist: Provides a checklist of essential items to verify before submission.
- Submission Process: Explains the naming conventions and submission channels for the generated SBOM file.
1 - SBOM Submission Requirements
Defines in detail the standard SBOM format, required information, and PURL identifier rules under SK Telecom policy.
SK Telecom supports both formats that have become established as global standards. Suppliers may choose and submit the format supported by the tool they use.
| Format | Version | Recommended Use | File Format |
|---|
| CycloneDX | v1.3, v1.4, v1.5, v1.6 | Application security, vulnerability management focus | JSON (recommended), XML |
| SPDX | v2.2, v2.3 | License compliance focus | JSON, Tag-Value |
Note: Both formats are recognized equally, but CycloneDX (JSON) format is recommended for internal system interoperability.
The SBOM document you submit must include the following information. Missing information may result in rejection.
Information about the document itself and the generation tool.
- Timestamp: Generation date and time (ISO 8601 format)
- Tool Info: Vendor, name, and version of the generation tool (e.g.,
CycloneDX-Maven-Plugin v2.7.9) - Component Info: Name and version of the top-level software being delivered
Generation tool information must be recorded in the following fields depending on the format.
- SPDX: Record the tool name and version in the
creationInfo.creators field with the Tool: prefix - CycloneDX: Record
vendor, name, and version in the metadata.tools array
// SPDX creationInfo example
"creationInfo": {
"created": "2026-04-06T03:22:00Z",
"creators": ["Tool: Syft-0.98.0", "Organization: VendorName"]
}
2.2 Components
Information about the individual libraries that make up the software.
- Name: Component name (e.g.,
commons-lang3) - Version: Component version (e.g.,
3.12.0) — Required: Vulnerability mapping is impossible without the version - PURL (Package URL): [Required] Package identifier
Version information must be included. Each package/component must record its exact version in SPDX’s versionInfo field or CycloneDX’s version field. Without a version, mapping to the vulnerability database is impossible, so security analysis cannot be performed.
| Item | Additional Requirement |
|---|
| Version specification | Required — Vulnerability mapping is impossible without the version |
2.3 Dependency Scope
Important: Transitive dependencies must be included.
SK Telecom analyzes vulnerabilities based on the submitted SBOM. An SBOM that includes only direct dependencies may miss hidden vulnerabilities and may therefore be rejected.
| Dependency Type | Description | Inclusion |
|---|
| Direct | Libraries explicitly declared by the project | Required |
| Transitive | Libraries that the direct dependencies in turn depend on | Required |
| Dev-only | Libraries not included at runtime, such as test and build tools | Inclusion recommended |
What are transitive dependencies?
For example, if a project uses library-A directly, and library-A internally uses library-B, then library-B is a transitive dependency. Even if library-B has a vulnerability, it cannot be detected unless it is included in the SBOM.
MyApp
└─ library-A v1.0 (direct dependency) ← explicitly declared by the supplier
└─ library-B v2.3 (transitive dependency) ← must be included in the SBOM
└─ library-C v0.9 (transitive dependency) ← must be included in the SBOM
Prerequisites for generating a correct SBOM
For transitive dependencies to be included accurately, the SBOM must be generated with the build (or package installation) completed. When only source code is present, transitive dependencies may be omitted.
- Java (Maven): Generate after running
mvn package or mvn dependency:resolve - Java (Gradle): Generate after running
./gradlew dependencies - Python: Generate after
pip install -r requirements.txt (with the virtual environment activated) - Node.js: Generate after running
npm install or yarn install - Go: Generate after running
go mod download
For how to include transitive dependencies with each tool, refer to the Using Open Source Tools guide.
3. Package URL (PURL) Compliance
PURL (Package URL) is a standard URL format for uniquely identifying a software package. SK Telecom’s vulnerability analysis system operates based on PURL, so a valid PURL must be included for every component.
A PURL must be in the standard format beginning with the pkg: prefix. Free text such as name:version or org/repo:tag is not allowed; in such cases vulnerability mapping is impossible and the SBOM will be rejected.
PURL Examples by Language
| Ecosystem | PURL Format Example |
|---|
| Java (Maven) | pkg:maven/org.springframework/spring-core@5.3.20 |
| JavaScript (NPM) | pkg:npm/express@4.18.2 |
| Python (PyPI) | pkg:pypi/django@4.1.0 |
| Go | pkg:golang/github.com/gin-gonic/gin@v1.8.1 |
| .NET (NuGet) | pkg:nuget/Newtonsoft.Json@13.0.1 |
| Ruby (RubyGems) | pkg:gem/rails@7.0.4 |
| GitHub (Actions / source hosting) | pkg:github/actions/checkout@v3 |
| OS package (RPM) | pkg:rpm/centos/glibc@2.17-317.el7?arch=x86_64 |
PURL Type Restrictions
The purl must be of a type that can identify the ecosystem.
| Item | Requirement |
|---|
| purl type | Do not use pkg:generic/. You must use a type that specifies the ecosystem |
| Allowed types | pkg:rpm/, pkg:deb/, pkg:apk/, pkg:npm/, pkg:maven/, pkg:pypi/, pkg:cargo/, pkg:golang/, pkg:gem/, pkg:nuget/, pkg:github/ (source components hosted on GitHub), etc. |
Correct / Incorrect PURL Examples
| Incorrect | Correct |
|---|
commons-lang3:3.12.0 | pkg:maven/org.apache.commons/commons-lang3@3.12.0 |
actions/checkout:v3 | pkg:github/actions/checkout@v3 |
lodash@4.17.21 | pkg:npm/lodash@4.17.21 |
pkg:generic/foo@1.0 | (Change to a type appropriate for the ecosystem) |
For detailed PURL specifications, refer to the official Package URL spec.
4. Sample Document
CycloneDX Sample
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"metadata": {
"timestamp": "2023-10-15T10:30:00Z",
"tools": [{
"vendor": "Example Corp",
"name": "cyclonedx-maven-plugin",
"version": "2.7.9"
}],
"component": {
"type": "application",
"name": "PaymentModule",
"version": "2.1.0",
"purl": "pkg:maven/com.example/payment-module@2.1.0"
}
},
"components": [{
"type": "library",
"name": "spring-core",
"version": "5.3.20",
"purl": "pkg:maven/org.springframework/spring-core@5.3.20",
"licenses": [{
"license": {
"id": "Apache-2.0"
}
}]
}]
}
...
References
2 - SKT SBOM Generator
Explains how to generate an SBOM that meets SK Telecom policy using the SKT SBOM Generator.
SKT SBOM Generator
The SKT SBOM Generator is an open source tool that lets suppliers generate deliverables that meet SK Telecom policy in a Docker environment. You do not need to install per-language tools locally; it analyzes multiple languages and produces a CycloneDX (JSON) deliverable.
This page covers only the quick start. For installation, the full set of options, language-specific guides, input scenarios, the web UI, and other details, see the official repository documentation.
github.com/sktelecom/sbom-tools
Bug reports, feature suggestions, and Pull Request contributions are welcome.
Deliverables Generated
A single run generates the following three deliverables together (the --all option).
| Deliverable | File | Purpose |
|---|
| SBOM | {project}_{version}_bom.json | CycloneDX 1.6 component specification (the delivery baseline) |
| Open Source Notice | {project}_{version}_NOTICE.{txt,html} | Notice document for fulfilling license obligations |
| Open Source Risk Analysis Report | {project}_{version}_risk-report.{md,html} | Aggregation of license and vulnerability risks |
Prerequisites
The SBOM Generator runs on Docker. Install and run Docker Engine 20.10 or later. On Windows without Docker, we recommend Rancher Desktop, which is free. The first run downloads a scanner image (about 3–4 GB), so it takes roughly 5–15 minutes.
Getting Started on Windows (No Command Line)
If you are not comfortable with the command line, you can generate an SBOM in one of two ways. For the full procedure, see the Windows quick start guide.
- Executable: Download
SBOM-Generator-*.exe from the latest release and double-click it. The file is not yet code-signed, so if Windows SmartScreen warns, click “More info” and then “Run anyway”. - Repository ZIP: From the repository’s
Code button, choose Download ZIP, unzip it, and double-click scripts\sbom-ui.bat; the browser opens http://localhost:8080.
In the web UI, the progress log is shown in real time on the right, and you can download the deliverables when it finishes.
Quick Start (CLI)
On macOS and Linux, download and run the script from a shell.
curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh
cd /path/to/my-project
/path/to/scan-sbom.sh --project "MyApp" --version "1.0.0" --all --generate-only
--generate-only creates files only locally, without uploading them to the portal (recommended until submission).- For the web UI, run
./scan-sbom.sh --ui (the browser opens http://localhost:8080). - On Windows, run the same commands through
scripts\scan-sbom.bat (it forwards them via Git Bash, so Git for Windows is required). - For other input forms such as a GitHub URL, source ZIP, Docker image, firmware, or binary, and the full set of options, see the Usage Guide.
Learn More
The authoritative source for using the tool is the repository documentation.
Next Steps
After generating the SBOM, verify the file with the Validation Checklist and submit it following the Submission Process. For the required data fields, see the Submission Requirements; to use tools such as cdxgen or Syft directly instead of the SKT tool, see Using Open Source Tools.
3 - Generating an SBOM with Open Source Tools
Explains how to generate an SBOM for each environment using general-purpose open source tools.
If you cannot use the SKT-provided tool, or you already have your own build pipeline, you can use open source tools directly. Below is a list of the major open source tools validated by SK Telecom, along with links to their official documentation.
If you are not comfortable setting up a tool environment and you have Docker installed, consider reviewing the SKT SBOM Generator first.
graph TD
A[Identify analysis target] --> B{Is it source code?}
B -- Yes --> C[cdxgen recommended]
B -- No --> D{Is it a Docker image?}
D -- Yes --> E[Syft or Trivy recommended]
D -- No --> F[Binary/Firmware]
F --> G[Syft recommended]cdxgen (recommended for source code analysis)
Automatically analyzes projects in various languages such as Java, Python, Node.js, and Go, and generates an SBOM in CycloneDX format.
Syft (recommended for container image and binary analysis)
Analyzes Docker images, file systems, and binary files to identify both OS packages and application libraries. Supports CycloneDX and SPDX formats.
Trivy (container image analysis)
An all-in-one tool that can perform container image analysis and vulnerability scanning together.
Security Warning — Trivy Supply Chain Attack Incident (2026)
In March 2026, a supply chain attack occurred in which an attacker re-pointed existing release tags
of aquasecurity/trivy to inject malware. The GitHub release v0.69.4 (3/19) and the DockerHub images
v0.69.5 and v0.69.6 (3/22) have been confirmed as compromised, so please stop using them.
To use Trivy safely, follow these principles.
GitHub Actions: Use a pinned commit SHA or a verified version tag instead of mutable tags (@master, @latest, @v1, etc.).
# Recommended: pin to a verified version
- uses: aquasecurity/trivy-action@0.35.0
# Safer: pin to a commit SHA
- uses: aquasecurity/trivy-action@<commit-sha>
Docker images: Specify a particular version tag, or pin to an image digest (@sha256:...).
docker run aquasecurity/trivy:<verified-version> image <target-image>
Official channels: Check the latest security advisories through the GitHub Security Advisory.
This incident shows that if you do not pin versions when adopting an open source tool, you can be exposed to a supply chain attack at any time. Always specify the version of every external tool and verify its integrity before use.
Language-Specific Dedicated Plugins
Using a build tool plugin lets you extract more accurate dependency information.
| Language/Build Tool | Plugin/Tool | Official Documentation |
|---|
| Java (Maven) | cyclonedx-maven-plugin | Link |
| Java (Gradle) | cyclonedx-gradle-plugin | Link |
| Python | cyclonedx-bom | Link |
| Node.js | @cyclonedx/cyclonedx-npm | Link |
| Go | cyclonedx-gomod | Link |
Verifying Transitive Dependency Inclusion
An SBOM submitted to SK Telecom must include transitive dependencies.
Transitive dependencies are libraries that the project does not declare directly, but on which the libraries it uses depend internally. If these are omitted, hidden vulnerabilities cannot be detected and the SBOM may be rejected.
Key principle: Generate the SBOM after the build (package installation) is complete.
When only source code is present, transitive dependencies may be omitted. Refer to the table below and complete the prerequisite steps before generating the SBOM.
| Tool / Method | Transitive Dependencies Included | Prerequisite Before SBOM Generation |
|---|
| cdxgen (source code) | Included automatically | No separate build required (auto-detected) |
| cdxgen (Java/Maven) | Conditional | Run mvn package or mvn dependency:resolve first |
| cdxgen (Java/Gradle) | Conditional | Run ./gradlew dependencies first |
| cdxgen (Python) | Conditional | Activate the virtual environment, then run pip install -r requirements.txt first |
| cdxgen (Node.js) | Conditional | Run npm install or yarn install first |
| Syft (Docker image) | Included automatically | Scan after the image build is complete (includes both OS and app packages) |
| Syft (file system/RootFS) | Included automatically | Scan based on the deployment artifact |
| Maven plugin | Included automatically | Generated automatically during the mvn package phase |
| Gradle plugin | Included automatically | Run ./gradlew cyclonedxBom |
Recommendation: When delivering as a Docker image, scanning the built image with Syft can include more complete transitive dependencies than source code analysis.
Common Precautions
Verify the following before using a tool.
- Transitive dependency inclusion: Refer to the table above and complete the prerequisite steps before generating the SBOM. Missing dependencies are grounds for rejection.
- PURL inclusion: Verify that the generated SBOM includes a
purl field for every component. SK Telecom’s system maps vulnerabilities based on PURL. - Output format: CycloneDX JSON format is recommended. (Use
-o cyclonedx-json or an equivalent option) - Project information: Verify that the metadata accurately records the name and version of the delivered project.
4 - Pre-Submission SBOM Validation Checklist
Check the essential items before submitting an SBOM to prevent rejection.
Essential Checklist Items
An SBOM that does not pass the checklist below may be automatically rejected by the system.
1. File Integrity
2. Required Data Fields
3. Dependency Completeness Check
Missing transitive dependencies are the most common reason for rejection. Be sure to verify the items below.
Dependency count guideline: A typical web application, including transitive dependencies, contains dozens to hundreds of components. If the component count in your SBOM is significantly lower than expected, treat it with suspicion.
4. Identifier (PURL) Check
SK Telecom’s system maps vulnerabilities by PURL. This is the most important item.
5 - SBOM Submission Process
Explains the submission channels for the prepared SBOM file, the email template, and the post-submission process.
1. When to Submit
- At initial delivery after concluding a software contract
- When a major or minor version of the software is updated
- When a regular submission schedule specified in the contract arrives
2. How to Submit
The SBOM file is submitted to SK Telecom’s business unit and security team representatives via email or a designated system.
Submission Method
- Deliver the SBOM file to the business unit and security team representatives via email or a channel designated by the representative.
- Email subject:
[SBOM Submission] SupplierName_ProjectName_Version - Attachment: The generated SBOM file (password-protected archive files are not allowed)
Required information in the body:
- Delivery contract number
- Representative information (name, department, contact)
- Project information (system name, detailed version)
- Tool used (e.g., SKT SBOM Generator v1.0)
TOSCA Registration Obligation of the Business Unit Representative
The SK Telecom business unit representative who receives an SBOM from a supplier must register that SBOM in TOSCA, the internal open source and SBOM management system.
TOSCA (SK Telecom Open Source & SBOM Management System)
https://tosca.sktelecom.com
3. Post-Submission Validation and Actions
After being registered in TOSCA, the submitted SBOM is validated according to the procedure below.
| Stage | Description | Processing Deadline |
|---|
| Format validation | Check for missing required fields. Notify of rejection if not met | Within 3 days of receipt |
| Security vulnerability analysis | Automatically analyze whether Critical/High severity vulnerabilities are detected | - |
| Action request | Request a patch plan or a written justification when serious vulnerabilities are found | Critical: 7 days / High: 30 days |
The validation results and action requests are communicated to the supplier and the security team representative through the business unit representative.