SBOM Concept and Necessity
Explains the definition of an SBOM as a software bill of materials and the three core purposes of adopting it (security, licensing, and management).
What Is an SBOM?
Guides developers and administrators through the full lifecycle of an SBOM, from its core concepts to generation, integration, and management.
Overview
This section is a practical SBOM (Software Bill of Materials) guide for members of the organization. Beyond simply complying with policy, it covers how to use SBOMs to improve the security of projects and the efficiency of dependency management.
Guide Structure
This guide is organized step by step, from the adoption of SBOMs to their operation.
- Concept and Necessity: Explains what an SBOM is and the fundamental reasons why we need it now.
- Standards Comparison (SPDX vs CycloneDX): Understand the differences between the industry-standard formats so you can choose the format that fits the nature of your project.
- Generating a Project SBOM: Guides you through the practical methods for extracting an SBOM directly from a project under development.
- CI/CD Integration: Covers how to automate SBOM generation in CI/CD pipelines such as Jenkins and GitHub Actions.
- SBOM Management: Introduces strategies for storing generated SBOMs in a central repository and managing them by version.
graph TD
A[Start Development] --> B[Add Dependencies]
B --> C{Build/Deploy}
C -->|Automation| D[Generate SBOM]
D --> E[Upload to Repository]
E --> F[Vulnerability Analysis]
F --> G[Security Remediation]SBOM Generation
For detailed SBOM generation methods and technical guidance, please refer to the following documents.
SBOM Standards
Compares the characteristics of SPDX and CycloneDX, the two leading SBOM standards, and presents criteria for choosing the one that fits your project.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.