Skip to content

12.2 Software Bills of Materials (SBOMs)

On December 9, 2021, security teams around the world received the same urgent question from their executives: "Are we affected by Log4Shell?" The answer should have been simple. Instead, it triggered weeks of frantic searching.

In one large financial services environment, the response followed a familiar pattern: thousands of applications, each requiring manual inspection of dependency files, container manifests, and embedded JARs. Teams found Log4j in unexpected places—build tools, monitoring agents, vendor appliances. Weeks into the response, they were still discovering instances.

At another organization—a healthcare technology provider that had invested in software inventory practices—the story was different. Their security team queried their SBOM database early the morning of December 10th. Within an hour, they had a complete list of affected components across their application portfolio, prioritized by internet exposure. Remediation began before most competitors had finished their first conference call.

The difference between these two responses wasn't only sophistication or budget—it was having a continuously maintained, queryable view of software composition tied to real deployments. One organization could answer a basic question that software has somehow avoided for decades: what's actually in this thing?

The Missing Ingredient List

Every other industry with complex supply chains solved this problem long ago. Pharmaceutical companies track active ingredients, excipients, and their sources through rigorous bills of materials. Automotive manufacturers know every component in every vehicle down to individual bolts—a capability that enables targeted recalls rather than blanket replacements. Food producers list ingredients on every package, enabling consumers with allergies to make informed decisions.

Software remained the exception. A typical enterprise application contains hundreds of components from dozens of sources, yet until recently, no standardized way existed to enumerate them. The npm package you installed might depend on packages that depend on packages that depend on a library maintained by a single developer in Nebraska—and you'd have no systematic way to know.

This opacity served no one. When the Equifax breach occurred in 2017, the company didn't know it was running a vulnerable version of Apache Struts. When Heartbleed struck in 2014 (§5.5), organizations spent weeks determining which systems used affected OpenSSL versions. Each major vulnerability became a scavenger hunt, with defenders racing against attackers who faced no such discovery burden.

A Software Bill of Materials (SBOM) addresses this gap. An SBOM is a formal, machine-readable inventory of the components that comprise a piece of software—their names, versions, suppliers, and relationships to each other. Think of it as an ingredient list, but one designed for automated processing rather than human reading.

The concept is simple. With accurate SBOMs and good asset correlation, the Log4Shell question becomes a database query rather than a weeks-long investigation. Vulnerability management shifts from reactive scrambling to proactive monitoring. Procurement decisions gain visibility into what's actually being purchased. Incident response operates on facts rather than guesses.

Why Now? The Regulatory Reckoning

SBOMs existed as a concept for years before they mattered operationally. What changed?

The catalyst was a series of supply chain attacks that demonstrated the systemic risk of software opacity. SolarWinds showed that compromised build systems could distribute malicious code to thousands of organizations. Codecov revealed that CI/CD tools could be weaponized. Then Log4Shell made the consequences visceral—a vulnerability in a logging library most executives had never heard of suddenly threatened every organization on the planet.

Governments noticed. In May 2021, the Biden administration issued Executive Order 14028, "Improving the Nation's Cybersecurity," which mandated that software sold to the federal government must include SBOMs. Suddenly, SBOM capability wasn't a nice-to-have—it was a requirement for accessing the largest software market in the world. For comprehensive analysis of EO 14028 provisions, compliance timelines, and regulatory impact, see Book 3, Section 26.1.

The European Union followed with the Cyber Resilience Act, published in the Official Journal in November 2024 and entering into force in December 2024, with full application by December 2027. The CRA ties market access to lifecycle cybersecurity obligations—and explicitly pushes manufacturers toward documented component inventories (often delivered as SBOMs) to support vulnerability analysis and response. Non-compliance carries penalties up to €15 million or 2.5% of global turnover. For companies selling connected products in Europe—which includes most software vendors—SBOM-style component documentation became a market-access expectation.

Sector-specific requirements added pressure. The FDA now expects SBOMs in medical device premarket submissions, recognizing that hospital administrators need to know whether their MRI machines contain vulnerable components. Financial services regulators reference SBOM practices in examination guidance. Critical infrastructure sectors are developing their own requirements.

This regulatory convergence transformed SBOMs from a security team initiative into a business imperative. Organizations that can't produce SBOMs will lose market access. Those that can will differentiate themselves in procurement processes that increasingly weight software transparency.

The Format Landscape

When SBOM requirements emerged, two formats competed for dominance. Understanding their origins explains their strengths.

SPDX (Software Package Data Exchange) emerged from the Linux Foundation in 2010, born from software licensing concerns. Open source licenses impose obligations—copyleft requirements, attribution notices, patent grants—and compliance requires knowing what licenses apply to your software. SPDX developed as a way to communicate licensing information between organizations, enabling automated license compliance analysis.

Over time, SPDX expanded beyond licensing to become a general-purpose SBOM format. Its adoption by ISO as standard ISO/IEC 5962:2021 gives it formal international recognition. Organizations with strong legal or compliance drivers often gravitate toward SPDX, which handles licensing edge cases that security-focused formats may not address.

CycloneDX took a different path. Created by the OWASP community in 2017, CycloneDX emerged from application security concerns rather than licensing ones. Its design prioritizes security use cases: vulnerability correlation, dependency analysis, and integration with security tooling. CycloneDX achieved ECMA standardization as ECMA-424 in June 2024, with a second edition following in December 2025, and has become the format of choice for security-focused organizations.

The practical differences matter less than partisans suggest. Both formats can represent the same information. Both have extensive tooling support. Both satisfy regulatory requirements. The choice often comes down to organizational context: SPDX if legal and compliance teams are the primary stakeholders, CycloneDX if security teams drive the initiative.

A third format, SWID (Software Identification) Tags, exists primarily in enterprise IT asset management contexts. SWID predates the SBOM movement, emerging from software license management needs. It sees less adoption for supply chain security but may appear in organizations with established SWID infrastructure.

Most practitioners should pick either SPDX or CycloneDX and use it consistently. Format interoperability tools exist for cases where trading partners require specific formats. The industry is converging on these two standards; investing in either is safe.

Generating SBOMs: The Accuracy Problem

The theory of SBOM generation is straightforward: enumerate the components in your software and output a structured document. The practice is messier.

Build-time generation produces SBOMs during the software build process. Build system plugins—for Maven, Gradle, npm, pip, and other package managers—capture dependencies as they're resolved and emit SBOMs as build artifacts. This approach has a crucial advantage: it reflects exactly what went into the build, after dependency resolution has determined which versions of which packages will actually be included.

Build-time generation integrates naturally with software attestation frameworks like SLSA. A signed SBOM produced by a hardened build system provides strong evidence about software composition—evidence that can be verified by consumers and audited by regulators.

The limitation is access. You can only generate build-time SBOMs for software you build. For third-party software—vendor products, container base images, compiled binaries—build-time generation isn't available.

Analysis-time generation fills this gap. Tools like Syft, Trivy, and Grype scan existing software artifacts—source directories, container images, compiled binaries—and infer their composition. These tools identify components through file signatures, package manifests, and heuristic analysis, producing SBOMs without access to the original build process.

Analysis-time tools enable SBOM generation for software you don't build, which is most software in a typical enterprise. They're essential for assessing third-party risk. But they face inherent accuracy limitations. A scanner examining a compiled binary cannot know with certainty which source packages contributed to it. Version detection relies on file patterns that may be ambiguous. Obfuscated or packed binaries resist analysis.

The practical approach combines both methods: build-time generation for software you produce, analysis-time generation for software you consume, with the understanding that analysis-based SBOMs are estimates rather than ground truth.

The uncomfortable reality is that most SBOMs today are incomplete or inaccurate. Chainguard and others have highlighted that SBOMs generated by popular analysis tools often miss significant numbers of components, particularly for compiled languages and container images—coining the term "GuessBOMs" for these probabilistic inventories. Transitive dependencies—the dependencies of your dependencies—are frequently undercounted. Components copied directly into source trees rather than installed through package managers often escape detection entirely.

This accuracy gap matters. An SBOM that misses 20% of components provides 80% visibility—better than nothing, but potentially missing the one component that contains a critical vulnerability. Organizations should treat SBOMs as valuable but imperfect, combining them with other discovery methods and validating critical results.

A practical rule of thumb: if you can reproduce the build, generate at build-time; if you can't, scan—but treat the result as probabilistic.

Having an SBOM doesn't automatically mean you can answer "are we affected?" That question requires connecting several layers of information that many organizations lack.

First, you need an SBOM per build or release—not just one per product. Version 2.3.1 built on Monday may have different dependencies than 2.3.1 built on Tuesday if dependency ranges resolved differently. Each artifact needs its own SBOM.

Second, you need to map those SBOMs to deployed artifacts. Which container images are running in production? Which package versions are installed on which endpoints? This requires integration with runtime inventory systems: Kubernetes cluster state, endpoint management tools, CMDBs, or cloud asset inventories. Without this correlation, you know what could be running but not what is running.

Third, environment-specific variations complicate the picture. A Python package installed via pip on Alpine Linux (musl libc) may include different native dependencies than the same package on Ubuntu (glibc). Container base images vary. Feature flags change which code paths execute. The same SBOM entry may represent meaningfully different runtime exposure across environments.

Organizations that successfully operationalize SBOMs typically build a multi-layer correlation system: SBOM data indexed by artifact hash, artifact hashes mapped to deployed instances, and deployment context enriching vulnerability prioritization. Without these connections, you've traded one scavenger hunt (finding components) for another (finding deployments).

What Belongs in an SBOM

The National Telecommunications and Information Administration (NTIA) established minimum elements that every SBOM should contain:

  • Supplier name: Who provides the component (e.g., "Apache Software Foundation")
  • Component name: The name of the component (e.g., "log4j-core")
  • Version string: The version identifier (e.g., "2.17.1")
  • Unique identifier: An unambiguous reference, ideally a Package URL
  • Dependency relationships: How components relate to each other
  • SBOM author: Who created this SBOM document
  • Timestamp: When the SBOM was generated

These minimums are genuinely minimal. Practical SBOMs need more.

Package URLs (PURLs) provide standardized component identification that works across ecosystems. A PURL like pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1 precisely identifies a component in a way that both humans and tools can parse. PURLs enable correlation across vulnerability databases, license databases, and component intelligence services. Without PURLs, matching SBOMs to vulnerability data requires fuzzy string matching that produces false positives and misses.

Cryptographic hashes (SHA-256 or stronger) verify that the component in your software matches the component described in the SBOM. Hashes catch tampering, substitution, and versioning errors. They're especially important when consuming SBOMs from vendors—you can verify that the software you received matches what the SBOM describes.

License identifiers using SPDX license expressions enable automated compliance analysis. Without license information, SBOMs support security use cases but not legal ones, halving their value.

Transitive dependencies—the full dependency tree, not just direct dependencies—are essential for security purposes. Log4j wasn't a direct dependency for most affected applications; it was pulled in transitively through other logging frameworks. An SBOM listing only direct dependencies would have missed most Log4Shell exposure.

The depth question sometimes generates debate. Full transitive dependencies produce larger SBOMs—thousands of entries for complex applications. Some argue for limiting depth for manageability. For security purposes, this is a mistake. Attackers don't care about dependency depth; vulnerabilities at any level in the tree are exploitable. The SBOM should reflect reality, and reality is deep.

Consuming SBOMs: From Vendors to Value

Generating SBOMs for your own software is half the challenge. The other half is getting useful SBOMs from your vendors—and actually using them.

Procurement is the leverage point. When acquiring software, include SBOM requirements in contracts—but recognize that requirements exist on a maturity spectrum:

Baseline (NTIA Minimums): Vendor provides SBOM in SPDX or CycloneDX format with each release, including at minimum the seven NTIA required elements: supplier name, component name, version, unique identifier, dependency relationships, author, and timestamp. This is the floor—better than nothing, but limited.

Recommended: SBOMs include all transitive dependencies, Package URLs for unambiguous identification, SHA-256 hashes for integrity verification, and SPDX license identifiers. Vendor commits to providing updated SBOMs within a defined timeframe (e.g., 48-72 hours) of component changes. SBOMs are digitally signed.

Aspirational: Vendor provides build attestations linking SBOMs to verified build processes (e.g., SLSA Level 2+). VEX documents accompany SBOMs for known vulnerabilities. Continuous delivery hooks enable automated SBOM retrieval for new releases. Vendor participates in coordinated vulnerability disclosure with proactive customer notification.

Start with baseline requirements and negotiate upward based on vendor maturity and software criticality. Vendors who cannot meet even baseline requirements likely don't know what's in their own software—that's a risk factor independent of any specific vulnerability. Track vendor SBOM capability as part of overall vendor risk assessment.

Validation matters. An SBOM from a vendor is only as useful as its accuracy. Before trusting a received SBOM:

  1. Validate the format: Does it conform to SPDX or CycloneDX schemas? Malformed SBOMs suggest careless generation.
  2. Check completeness: Are the minimum elements present? Are there Package URLs and hashes?
  3. Verify the signature: Did this SBOM actually come from the vendor?
  4. Test against the software: Can you correlate the SBOM to the actual artifact? Do file hashes match?
  5. Assess plausibility: Does a 10-component SBOM for complex enterprise software seem right?

Validation tools exist—pyspdxtools for SPDX, cyclonedx-cli for CycloneDX, sbom-scorecard for quality assessment. Automate validation as part of your software intake process.

Operationalizing received SBOMs requires infrastructure:

  • Storage: A queryable database of SBOMs indexed by product, version, and component
  • Correlation: Integration with vulnerability feeds to continuously match SBOMs against new CVEs
  • Alerting: Notifications when vulnerabilities affect components in your SBOM inventory
  • Reporting: Dashboards showing exposure across your software portfolio

Building this infrastructure is an investment, but the alternative is repeating the Log4Shell scramble for every major vulnerability. Organizations that operationalize SBOM data can respond systematically. Those that treat SBOMs as compliance artifacts will file them in SharePoint and scramble anyway.

VEX: The Missing Context

SBOMs answer what's in this software? They don't answer does it matter?

Consider: your SBOM shows you're running a library with a known vulnerability. Should you panic? Maybe. But the vulnerability might be in a function you don't call. The vulnerable code path might require configurations you don't use. The exposure might be mitigated by other controls in your environment.

Vulnerability Exploitability eXchange (VEX) documents provide this context. A VEX statement from a software producer indicates whether a specific vulnerability actually affects their product and, if so, what the status is—affected, not affected, fixed, or under investigation.

VEX transforms vulnerability management from noise to signal. Without VEX, every CVE affecting any component in your SBOM is a potential emergency requiring investigation. With VEX, you can prioritize based on producer attestations about actual exploitability.

VEX trustworthiness varies. The most credible VEX statements are traceable to build attestations or test evidence—the producer can demonstrate they actually tested for exploitability rather than simply asserting it. VEX can also be abused: a vendor might issue "not affected" statements to reduce support burden without rigorous analysis. Treat VEX from vendors with mature security practices differently than VEX from vendors who just started producing it.

VEX is still maturing. Many vendors don't produce VEX statements. Those who do may not cover every vulnerability. But VEX capability is growing, and organizations should request VEX along with SBOMs from their vendors. The combination—SBOM for composition, VEX for context—enables vulnerability management at scale.

The SBOM Lifecycle

SBOMs are not static documents. Like the software they describe, they have lifecycles.

Creation should occur during the build process, producing an SBOM that reflects exactly what was built. The SBOM should be signed for authenticity and versioned to match the software release. An SBOM for version 2.0.0 must describe version 2.0.0—not 1.9.0 with some updates, not 2.0.1-rc. Version correlation must be precise, or the SBOM's value evaporates.

Maintenance means updating SBOMs when software changes. Any component update—whether for features, security, or dependencies—requires a new SBOM. Continuous integration pipelines should produce SBOMs automatically for every build, creating an audit trail of software composition over time.

Consumption involves the ongoing use of SBOM data: vulnerability correlation, license analysis, component intelligence, incident response. SBOMs sitting in a repository provide no value; SBOMs actively queried and analyzed provide continuous visibility.

Retirement occurs when software versions are deprecated. Old SBOMs should be archived for compliance and audit purposes—regulatory requirements often mandate years of retention—but removed from active vulnerability monitoring to reduce noise.

Organizations often stumble on maintenance. They generate an initial SBOM for a compliance audit, then fail to update it as the software evolves. Within months, the SBOM describes software that no longer exists. Stale SBOMs are worse than no SBOMs—they provide false confidence while missing actual exposure.

Where Organizations Go Wrong

Despite growing investment in SBOMs, many programs fail to deliver value. Common failure patterns include:

Treating SBOMs as compliance artifacts rather than operational tools. Organizations generate SBOMs to satisfy an audit checkbox, file them away, and never query them. When a vulnerability emerges, they're back to manual searching. The investment in generation was wasted.

Generating without consuming. SBOM generation tooling has matured faster than consumption infrastructure. Organizations can produce SBOMs easily but lack the databases, correlation engines, and workflows to use them. Generation is the easy part; operationalization is where value emerges.

Ignoring accuracy limitations. Trusting SBOM tools to produce complete, accurate inventories leads to false confidence. SBOMs should be validated, cross-referenced against other discovery methods, and treated as approximations requiring verification for critical decisions.

Expecting vendor compliance without enforcement. Contract language requiring SBOMs means nothing without consequences. Organizations should track vendor SBOM delivery, validate quality, and make compliance a factor in relationship reviews and renewals.

Focusing on format rather than content. Debates about SPDX versus CycloneDX distract from the harder question: is the SBOM accurate and complete? A perfect-format SBOM with missing components is less useful than an imperfect-format SBOM with comprehensive coverage.

Building SBOM Capability

For organizations starting their SBOM journey, a pragmatic progression:

Start with your own software. Before demanding SBOMs from vendors, produce them for your own products. This builds organizational understanding of what SBOMs are, how they're generated, and what challenges arise. You'll be better equipped to evaluate vendor SBOMs and write meaningful requirements.

Integrate with CI/CD. SBOM generation should be automatic, not manual. Every build should produce an SBOM without developer intervention. Tools like Syft, the CycloneDX CLI, and ecosystem-specific plugins make this straightforward for most build systems.

Build consumption infrastructure. Start simple—a database where SBOMs are stored and can be queried. Add vulnerability correlation using tools like Grype or dependency-track. Build alerting for new vulnerabilities affecting your component inventory. Evolve toward dashboards and analytics.

Require SBOMs from critical vendors. Prioritize vendors whose software runs in sensitive environments or handles critical data. Include SBOM requirements in contracts. Validate what you receive. Make SBOM capability a factor in procurement decisions.

Prepare for regulation. If you sell to government or regulated industries, SBOM capability isn't optional. If you sell products with digital elements in the EU, the Cyber Resilience Act applies. Build capability now rather than scrambling when deadlines approach.

The Road Ahead

SBOMs represent a shift in how we think about software—from opaque binaries to transparent compositions. The transition is incomplete. Tooling is maturing but imperfect. Standards are stabilizing but still evolving. Organizational practices range from sophisticated to nonexistent.

Regulatory pressure will continue increasing. Procurement requirements will spread from government to commercial sectors. Vulnerability response expectations will assume SBOM capability. Organizations without mature SBOM practices will find themselves at competitive and operational disadvantage.

Log4Shell crystallized a truth the industry had avoided: we cannot secure software we cannot see into. SBOMs—combined with deployment correlation and operational workflows—provide that visibility. Organizations that build this capability now will answer the next critical vulnerability question faster. Those that don't will repeat the same scavenger hunt, hoping they find everything before attackers find them.