What Is an SBOM? A Complete Guide to the Software Bill of Materials
What a software bill of materials is, what goes in one, how to generate it, SPDX vs CycloneDX, and the regulations that now require it.
- An SBOM is a machine-readable list of every component inside a piece of software — like a nutrition label for code.
- When a new vulnerability or supply-chain attack lands, an SBOM is what lets you answer 'are we affected?' in minutes instead of weeks.
- Two formats dominate: SPDX (ISO-standardized, license-focused) and CycloneDX (OWASP, security-focused). Most tools export both.
- Open-source tools like Syft and cdxgen generate an SBOM in seconds; the hard part is acting on what's inside it.
- SBOMs are now mandated by US, EU, and Indian regulators — the EU CRA, India's SEBI CSCRF, and CERT-In all require them.
In March 2026, one of the most popular open-source security scanners in the world — Trivy — was itself turned into a supply-chain weapon. Attackers poisoned its release tags and shipped a malware-laced binary through every official channel. Teams that ran it in CI/CD had credential-stealing code injected into their pipelines by the very tool meant to keep them safe.
That is the question an SBOM exists to answer. When the next compromised package, vulnerable library, or poisoned dependency makes the news, can you tell — fast — whether it's running in your software? A software bill of materials is a complete, machine-readable list of every component inside an app. Think of it as a nutrition label for code. Open the box and you can see exactly what's inside, where it came from, and what it depends on.
What is an SBOM, exactly?
An SBOM (software bill of materials) is a structured inventory of every component that makes up a piece of software. That means the open-source libraries, the third-party packages, the transitive dependencies you never chose directly, and the links between them. Modern apps are mostly assembled, not written. A typical service is 80–90% open-source code by volume. An SBOM is the document that tells you what that 80–90% actually is.
The key word is machine-readable. A README listing your dependencies is not an SBOM. An SBOM is a standardized file — JSON or XML — that a tool can parse, diff, query, and cross-reference against vulnerability databases automatically. That is what makes it useful at the scale and speed real incidents demand.
An SBOM doesn't make your software more secure on its own. It makes your software knowable — and you can't secure, patch, or prove anything about code you can't see.
What goes inside an SBOM?
In 2021 the US NTIA published the de facto baseline — the seven minimum data fields every SBOM should carry. It's still the cleanest way to understand what one contains:
- Supplier name — who produced the component.
- Component name — what the unit of software is called.
- Version — which release of it you're using (this is what most vulnerabilities key off).
- Other unique identifiers — machine IDs like a PURL, CPE, or SWID tag, so tools can match the component against vulnerability databases.
- Dependency relationship — what depends on what, including the transitive chain you didn't pick directly.
- Author of the SBOM — who or what generated the document.
- Timestamp — when it was created, in UTC.
That baseline is now being raised. In August 2025, CISA published a draft update — the 2025 Minimum Elements — that adds fields the 2021 list lacked: a component hash (so you can verify integrity, not just trust a name), license, the name of the tool that generated the SBOM, and the generation context. As of this writing the 2025 elements are a draft; the public comment period closed on 3 October 2025. The direction of travel is clear: SBOMs are expected to carry more, and to be trustworthy enough to act on without a second look.
A hash is the quiet upgrade in the 2025 draft. A name and version can be spoofed; a cryptographic hash of the actual artifact can't. It's how an SBOM moves from 'this claims to be lodash 4.17.21' to 'this is provably that exact file.'
Why SBOMs suddenly matter
SBOMs aren't new as an idea — manufacturing has used bills of materials for decades. What changed is that software supply chains became the soft underbelly of security. Three forces pushed SBOMs from nice-to-have to non-negotiable.
1. A single bug can hit everyone at once
When Log4Shell broke in December 2021, the most expensive part for most companies wasn't the patch — it was the days spent just figuring out where Log4j was running. Teams with an SBOM answered that in an afternoon. Teams without one grep-ed their estate by hand for weeks. The vulnerability was the same; the SBOM decided how long you bled.
2. The tools themselves get attacked
The Trivy compromise wasn't an outlier. SolarWinds, the xz-utils backdoor, npm and PyPI package takeovers — attackers have learned that compromising one upstream component is a force multiplier across thousands of downstream victims. An SBOM is how you keep a current map of that upstream territory instead of rediscovering it under fire.
3. Regulators now require it
What used to be a security-team aspiration is becoming a legal obligation across the US, EU, and India. We'll get to the specifics below — but the short version is that if you sell software into any of those markets, an SBOM is moving onto your compliance checklist whether you've adopted one or not.
“The vulnerability is the same for everyone. The SBOM decides whether you find out in an afternoon or a fortnight.”
SPDX vs CycloneDX: the two formats you'll actually meet
You don't need to invent an SBOM format — two open standards already own the space, and most tools speak both. They were built by different communities with different priorities, and that shows in what they're good at.
| SPDX | CycloneDX | |
|---|---|---|
| Steward | Linux Foundation | OWASP |
| Standardization | ISO/IEC 5962:2021 | ECMA-424 |
| Original focus | License compliance, provenance | Security, vulnerability tracking |
| Data model | Element + relationship (linked-data in 3.0) | Compact, component-centric |
| Strongest for | Procurement, audit, legal review | Vuln workflows, CI/CD, container scanning |
| Extends to | Files, snippets, packages | VEX, CBOM, SaaSBOM, ML-BOM |
The honest takeaway: it's not a war you need to pick a side in. Choose CycloneDX if your driver is security automation and vulnerability response. Choose SPDX if it's licensing, procurement, or formal audit trails. Better still, generate both. Most modern tools do it from a single scan, and different teams will ask for different ones — your security team and a customer's legal team rarely want the same file.
Picking a format matters far less than picking one and generating it consistently in every build. An SBOM you produce on every release beats a 'perfect' one you generate by hand once a quarter.
How to generate an SBOM: a practical walkthrough
Here's the part that surprises people: producing an SBOM is the easy bit. A handful of mature, free tools will do it in seconds. The work is in where you generate it and what you do with the result.
The tools
| Tool | Steward | Scans | Notes |
|---|---|---|---|
| Syft | Anchore | Source dirs, container images, archives | The versatile default; broad ecosystem coverage, exports SPDX + CycloneDX |
| cdxgen | OWASP / CycloneDX | Many languages, transitive deps | CycloneDX-first, deep dependency resolution |
| Microsoft SBOM Tool | Microsoft | Build outputs | SPDX-focused, geared to CI pipelines |
| Trivy | Aqua Security | Code, images, IaC | Capable, but pin to a known-safe version after the March 2026 compromise |
With Syft, generating a CycloneDX SBOM for a container image is a single command. That's genuinely all it takes to produce the file.
The steps that actually matter
- Generate at build time, not after. Bake SBOM generation into your CI/CD pipeline so every artifact ships with an SBOM that matches exactly what you released — not an approximation produced weeks later.
- Capture transitive dependencies. The library you imported is rarely where the risk lives; it's the thing that library imported. A good generator resolves the full tree, not just your direct dependencies.
- Store and version them. An SBOM is a point-in-time snapshot. Keep one per release so that when a vulnerability drops, you can check every version you have in production, not just the latest.
- Feed it into vulnerability and license scanning. The SBOM is the input; matching its components against known-vulnerability and license databases is where the value is realized.
- Prioritize by reachability. A raw SBOM-to-CVE match produces a flood of alerts — most for code that never actually runs. Reachability analysis cuts that noise to the vulnerabilities that are genuinely exploitable in your application.
Generating the SBOM is seconds of work. Studies of large codebases routinely find that the majority of flagged open-source vulnerabilities sit in code that is never reachable at runtime — which is why an SBOM without reachability buries the real risks under false ones.
The SBOM is the root of a whole family
Once you can inventory your software components, the same idea extends to everything else worth tracking. The SBOM is the trunk; the rest of the BOM family branches off it, mostly built on the same CycloneDX standard so they slot into the same tooling.
- CBOM (Cryptographic Bill of Materials) — every algorithm, key, and certificate, so you can plan the post-quantum migration that NIST's 2030/2035 deadlines now demand.
- AIBOM (AI Bill of Materials) — the models, datasets, and weights inside an AI system, increasingly required under the EU AI Act.
- HBOM (Hardware Bill of Materials) — physical components and firmware.
- SaaSBOM — the services, APIs, and data flows in a cloud application, for the parts of your stack that aren't a package you ship.
The lesson is that an SBOM program is rarely the finish line. Get good at inventorying components and the same discipline answers your cryptography, AI, and hardware questions next.
SBOM compliance: who's requiring one
This is the section that turns SBOMs from optional to scheduled. Three regulatory blocs now require them, and the deadlines are close enough to plan around.
United States
Executive Order 14028 (2021) set software supply-chain security in motion for anyone selling to the US federal government, with the SBOM as a core artifact. CISA's 2025 draft Minimum Elements is the next step — raising what an SBOM must contain so it's trustworthy enough to act on.
European Union
The EU Cyber Resilience Act is the big one. From 11 September 2026, manufacturers of connected products must report vulnerabilities and incidents — which is impossible to do well without knowing your components. The full SBOM obligation lands on 11 December 2027: a machine-readable SBOM covering at least the top-level dependencies of every product with digital elements, kept current and handed to market-surveillance authorities on request. In practice, you need SBOMs in place well before the 2026 reporting date, not the 2027 one.
India
India has moved faster and broader than most. CERT-In's Technical Guidelines (version 2.0, July 2025) cover not just SBOM but CBOM, QBOM, AIBOM, and HBOM, with a detailed mandatory-field baseline and a recommendation to use SPDX or CycloneDX. In the financial sector, SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) makes SBOMs mandatory for regulated entities — banks, NBFCs, mutual funds, and more — with compliance deadlines that landed through 2025. If you build or procure software for Indian finance, the SBOM requirement is already live.
| Jurisdiction | Driver | Key date |
|---|---|---|
| US | Executive Order 14028 + CISA Minimum Elements | EO 2021; 2025 elements in draft |
| EU | Cyber Resilience Act | Reporting Sept 2026; SBOM obligation Dec 2027 |
| India (all sectors) | CERT-In Technical Guidelines v2.0 | July 2025 |
| India (finance) | SEBI CSCRF | Phased through 2025 |
The bottom line
An SBOM is the foundation everything else in software supply chain security stands on. You can't patch, prove compliance, or answer 'are we affected?' for components you've never inventoried. The good news is that the standards are settled, the tools are free and fast, and you can generate your first SBOM today. The discipline is making it automatic — one per release, fed into reachability and vulnerability analysis, kept as the living record auditors and incident responders will both come asking for. Build the inventory first; everything useful comes after.