Software bill of materials (SBOM)
A Software Bill of Materials is a machine-readable inventory of every component, library, and dependency in a software artefact — typically in SPDX or CycloneDX format. SBOMs let downstream consumers and security teams query 'is component X with vulnerability Y present in our build?' without manually reverse-engineering the binary.
SBOM adoption accelerated after the SolarWinds and log4j incidents, both of which were dramatically harder to triage because affected parties had no inventory of what they were running. US Executive Order 14028 (2021) mandates SBOM delivery for federal software vendors; the EU Cyber Resilience Act (2024) extends the requirement to most commercial software in the EU market. Generation tooling: Syft, Trivy, Snyk, GitHub's built-in SBOM export. Consumption tooling: vulnerability databases (OSV, NVD) cross-referenced against the SBOM. The discipline is becoming table-stakes for B2B vendors; consumers increasingly require it in procurement.
Related terms
- Shift-left security
Shift-left security moves security activities — threat modelling, static analysis, dependency scanning, secret detection — earlier in the development lifecycle, ideally into the developer's IDE and PR workflow.
- Dependency pinning
Dependency pinning fixes the exact version of every dependency (and transitively, every transitive dependency) so the same source produces the same build artefact regardless of when or where it's built.
- Lockfile
A lockfile records the exact resolved version of every package in a dependency tree — direct and transitive — so any subsequent install reproduces the same versions.