A software bill of materials (SBOM) declares the inventory of components used to build a software artifact such as a software application - Wikipedia
Inventory of libraries used in software artifact
Scan for vulnerabilities
Scan for license compliance
Linux Foundation’s Software Package Data Exchange (SPDX)
Anchore syft , Aqua Security trivy , docker-sbom , BuildKit >=0.11.0-rc1 , Kubernetes bom , Microsoft sbom-tool
Anchore grype , Aqua Security trivy
docker-setup --tags=sbom plan
SBoM generation
SBoM scanning
Metadata
Components
Packages and files
Relationships (what is found where)
Metadata (source, distro, descriptor)
Artifacts and files
No standard available yet
Download from website
Release asset
Separate container image with same digest and suffix
Manifest list (BuiltKit)
OCI 1.1 referrer (more later)