The Software Bill of Materials (SBOM)
A Software Bill of Materials (SBOM) is a formal and query-able record containing the details and relationships of various open-source, third-party, or commercial components used in building software.
Minimum SBOM Content Requirements
As specified in The Minimum Elements For a Software Bill of Materials (SBOM) issued by the United States Department of Commerce, the SBOM should contain the following data elements at a minimum:
|
•
|
Component name and version |
|
•
|
Other unique identifiers |
|
•
|
Dependency relationship |
SBOM Formats
Standard SBOM formats are now available for communicating SBOM information to meet the government requirements.
|
•
|
SPDX (Software Package Data Exchange) is an open standard for communicating Software Bill of Materials (SBOM) information |
|
•
|
CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis |
|
•
|
SWID (Software Identification Tagging) provides a transparent way for organizations to track the software installed on their managed devices |