SBOM Concept and Necessity

Mon, 01 Jan 0001 00:00:00 +0000

Definition of an SBOM

An SBOM (Software Bill of Materials) is a formalized specification that describes the list of all components, libraries, modules, and so on that make up a piece of software, along with the dependency relationships among them. It applies the manufacturing concept of a BOM (Bill of Materials), used to manage a product’s parts list, to software engineering.

graph TD
 A[Software Product] --> B[Direct Dependencies]
 B --> C[Library A v1.2.3]
 B --> D[Library B v2.0.1]
 B --> E[Library C v3.1.0]
 C --> F[Transitive Dependencies]
 F --> G[Library D v1.0.0]
 F --> H[Library E v2.5.0]
 D --> F

Key Components of an SBOM

Component Information

Includes basic information about each software component.

SBOM Standards

Mon, 01 Jan 0001 00:00:00 +0000

Major SBOM Standards

There are currently two major standard formats that split the market between them. Both formats are widely used, but they differ in their origins and primary focus areas.

SPDX: Software Package Data Exchange
CycloneDX: A security-focused SBOM standard led by OWASP

SPDX (Software Package Data Exchange)

Overview

SPDX is an open source project led by the Linux Foundation, developed to represent the license and copyright information of software packages in a standardized way. (ISO/IEC 5962:2021)

What Is an SBOM? on SK telecom Open Source