Glossary
Software Bill of Materials (SBOM)
What Is a Software Bill of Materials (SBOM)?
A Software Bill of Materials (SBOM) is a structured inventory of every component included in a piece of software — open-source libraries, proprietary modules, dependencies, and their versions and relationships — used to assess vulnerabilities, license obligations, and supply chain risk.
SBOMs have become a regulatory expectation. Executive Order 14028, the EU Cyber Resilience Act, and sector-specific guidance from agencies like the FDA all reference SBOMs as foundational evidence for software security. Standard formats include SPDX and CycloneDX.
The catch: not all SBOMs are equal. SBOMs generated from source code or vendor declarations operate at the application layer and often miss what was actually compiled into the final artifact.
Binary-derived SBOMs — generated directly from the shipped software — capture inherited and embedded components that source-derived SBOMs typically omit. They extend below the application layer to inventory kernels, RTOS, container layers, firmware, and other compiled artifacts, and they surface non-CVE risk — misconfigurations, hard-coded secrets, exposed keys, license issues — alongside the standard component inventory.
Related Terms
Binary-Derived SBOM · AI Bill of Materials · Cryptographic Bill of Materials · SPDX · CycloneDX · Vendor Self-Attestation


