🫡 SBOM: what is it and what is it for?

Software Bill of Material is a file in JSON or XML format that includes an inventory list of all components (packages, libraries) used in the application being developed or necessary for its operation.

The components SBOM specifies the package author, purl (Package URL), license, library hash, CPE (Common Platform Enumeration) and other components. Uses CycloneDX, SPDX (Software Packet Data Exchange) and SWID (Software Identification). The algorithm is attached to the post.

SBOM allows you to solve two related problems:

- Inventory all components used in the product (source code, artifact, operating system)

- Automate their security analysis using SCA (Software Composition Analysis) tools

Security policies may include checking these components for vulnerabilities and license purity, as well as for publication date, author name, and other elements.

Consists of:

- Metadata of the SBOM file itself: specification, unique number, timestamp

- List of components

- Description of the SBOM source (externalReferences block)

- Description of connections between components (dependencies block) - contains the name of the package from the source code and its dependencies, that is, the packages that it needs to work. Using dependencies data and library names, you can build a dependency graph, including transitive ones.

What it looks like //SPDX //CycloneDX

{

"spdxVersion": "SPDX-2.3",

"dataLicense": "CC0-1.0",

"SPDXID": "SPDXRef-DOCUMENT",

"name": "example-project-1.0.0",

"documentNamespace": "http://spdx.org/spdxdocs/example-project-1.0.0-abc123",

"creationInfo": {

"created": "2025-06-24T10:00:00Z",

"creators": [

"Tool: spdx-sbom-generator-0.0.1",

"Organization: ExampleOrg"

],

"licenseListVersion": "3.23"

},

"packages": [

{

"name": "lodash",

"SPDXID": "SPDXRef-Package-Lodash",

"versionInfo": "4.17.21",

"downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",

"filesAnalyzed": false,

"licenseConcluded": "MIT",

"licenseDeclared": "MIT",

"supplier": "Organization: Lodash Team",

"originator": "Person: John-David Dalton",

"externalRefs": [

{

"referenceCategory": "PACKAGE-MANAGER",

"referenceType": "purl",

"referenceLocator": "pkg:npm/lodash@4.17.21"

},

{

"referenceCategory": "SECURITY",

"referenceType": "cpe23Type",

"referenceLocator": "cpe:2.3:a:lodash:lodash:4.17.21:*:*:*:*:*:*:*"

}

]

}

...

]

}

{

"bomFormat": "CycloneDX",

"specVersion": "1.6",

"version": 1,

"metadata": {

"timestamp": "2025-06-24T10:00:00Z",

"tools": [

{

"vendor": "CycloneDX",

"name": "cyclonedx-cli",

"version": "0.24.0"

}

],

"component": {

"type": "application",

"name": "example-project",

"version": "1.0.0",

"purl": "pkg:npm/example-project@1.0.0"

}

},

"components": [

{

"type": "library",

"name": "lodash",

"version": "4.17.21",

"purl": "pkg:npm/lodash@4.17.21",

"hashes": [

{

"alg": "SHA-256",

"content": "e3b0c44298fc1c149afbf4c8996fb924..."

}

],

"licenses": [

{

"license": {

"id": "MIT"

}

}

]

...

}

]

}

Total: SBOM is needed to control components and can be used as a check for substitution of dependencies or for golden-repo. This is what allows us to control the environment and the assemblies themselves, which gives us the ability to manage and build Vulnerability Management.

Further in the posts we will also look at how, for example, Cdxgen, Syft, etc. work.

#toolchain #sbom