SBOM Submission Requirements
Defines in detail the standard SBOM format, required information, and PURL identifier rules under SK Telecom policy.
Supplier SBOM Submission Guide
An SBOM generation and submission guide for partner companies that supply software to SK Telecom.
To strengthen the transparency and security of its software supply chain, SK Telecom asks suppliers to submit an SBOM (Software Bill of Materials) for all software components and dependencies they deliver. This guide explains how suppliers can generate and submit an SBOM in a format that meets SK Telecom’s security policy.
Scope of Application
All suppliers (including developers and resellers) that deliver the following types of software are subject to these guidelines.
- Source code: Applications written in Java, Python, JavaScript, Go, C/C++, etc.
- Container images: Docker images or OCI-compliant containers
- Executables: Compiled binaries (.jar, .dll, .so) and libraries
- Embedded systems: Firmware images, RootFS, device drivers
- Servers: A system combining an OS (rootfs and installed packages) with an application and statically linked libraries
SBOM Submission Process
We ask suppliers to follow the procedure below, from the time of contract through final delivery.
flowchart TD
A[Contract Review] --> B["Software Development/Build"]
B --> C{Generate SBOM}
C -->|Use SKT-provided tool| D[Use BomLens]
C -->|Use your own tool| E["Use open source tools<br>(cdxgen, Syft, etc.)"]
D --> F["Data Validation (PURL Check)"]
E --> F
F --> G["Submit SBOM (Email/Portal)"]
G --> H[SKT Security Review]
H -->|Approved| I[Delivery Complete]
H -->|Rejected| J[Remediate and Resubmit]
J --> FGuide Structure
This section is organized as follows.
- Submission Requirements: Defines the required formats (CycloneDX, SPDX) and data fields that SK Telecom requires.
- BomLens: Explains how to use SK Telecom’s SBOM generation tool.
- Using Open Source Tools: Explains how to generate an SBOM using general-purpose open source tools (cdxgen, Syft, etc.).
- Server SBOM: Explains how to generate the OS, application, and static-link layers separately and merge them into one.
- Validation Checklist: Provides a checklist of essential items to verify before submission.
- Submission Process: Explains the naming conventions and submission channels for the generated SBOM file.
Related Documents
- SK Telecom Supply Chain Security Policy: Background and principles of the mandatory SBOM submission policy
- Global Regulatory Trends: Domestic and international regulatory landscape related to SBOM
BomLens
Explains how to generate an SBOM that meets SK Telecom policy using BomLens.
Generating an SBOM with Open Source Tools
Explains how to generate an SBOM for each environment using general-purpose open source tools.
Generating a Server (OS + Application) SBOM
How to build the SBOM for a delivered server — scan the OS and the application as two layers, cover statically linked libraries separately as a blind spot, then merge them into one BOM for submission.
Pre-Submission SBOM Validation Checklist
Check the essential items before submitting an SBOM to prevent rejection.
SBOM Submission Process
Explains the submission channels for the prepared SBOM file, the email template, and the post-submission process.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.