Software bill of materials



A software supply chain is composed of the components, libraries, tools, and processes used to develop, build, and publish a software artifact. Software vendors often create products by assembling
open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
commercial software Commercial software, or seldom payware, is a computer software that is produced for sale or that serves commercial purposes. Commercial software can be proprietary software or free and open-source software. Background and challenge While soft ...
components. A ''software bill of materials'' (SBOM) declares the inventory of components used to build a software artifact such as a software application. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause
allergies Allergies, also known as allergic diseases, refer a number of conditions caused by the hypersensitivity of the immune system to typically harmless substances in the environment. These diseases include hay fever, food allergies, atopic derma ...
, SBOMs can help organizations or persons avoid consumption of software that could harm them. The concept of a BOM is well-established in traditional manufacturing as part of
supply chain management In commerce, supply chain management (SCM) is the management of the flow of goods and services including all processes that transform raw materials into final products between businesses and locations. This can include the movement and sto ...
. A manufacturer uses a BOM to track the parts it uses to create a product. If defects are later found in a specific part, the BOM makes it easy to locate affected products.


An SBOM is useful both to the builder (manufacturer) and the buyer (customer) of a software product. Builders often leverage available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform
vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
or license analysis, both of which can be used to evaluate risk in a product. While many companies just use a
Microsoft Excel Microsoft Excel is a spreadsheet developed by Microsoft for Microsoft Windows, Windows, macOS, Android (operating system), Android and iOS. It features calculation or computation capabilities, graphing tools, pivot tables, and a macro (comp ...
document for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet. SBOMs gain greater value when collectively stored in a repository that can be a part of other automation systems, easily queried by other applications. This need for automated SBOM processing is addressed by the Software Package Data Exchange (SPDX) open standard. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.


The Cyber Supply Chain Management and Transparency Act of 2014 was US legislation that proposed to require government agencies to obtain SBOMs for any new products they purchase. It also would have required obtaining SBOMs for "any software, firmware, or product in use by the United States Government". Though it ultimately didn't pass, this act did bring awareness to government and spurred later legislation such as "Internet of Things Cybersecurity Improvement Act of 2017." The US Executive Order on Improving the Nation’s Cybersecurity of May 12, 2021 ordered
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sc ...
to issue guidance within 90 days to "include standards, procedures, or criteria regarding" several topics in order to "enhance the security of the software supply chain," including "providing a purchaser a Software Bill of Materials (SBOM) for each product." Also mandated within 60 days was for
NTIA The National Telecommunications and Information Administration (NTIA) is an agency of the United States Department of Commerce that serves as the President's principal adviser on telecommunications policies pertaining to the United States' e ...
to "publish minimum elements for an SBOM." The NTIA minimum elements were published on July 12, 2021, and also "describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution." The minimum elements consist of three broad categories: data fields (baseline information about each software component), automation support (the ability to generate SBOMs in machine- and human-readable formats), and practices and processes (how and when organizations should generate SBOMs). The "automation support" requirement specifies the need for "automatic generation," which is possible with the use of software composition analysis (SCA) solutions.

See also

* Software Package Data Exchange * Software toolchain * Supply chain attack * Code signing * Manifest file * Dependency hell


{{Reflist Supply chain management Software project management Software development process