Software Bill of Materials (SBoM)

Software Bill of Materials (SBoM)

A software bill of materials (SBOM) declares the inventory of components used to build a software artifact such as a software application - Wikipedia

Use cases

Inventory of libraries used in software artifact

Scan for vulnerabilities

Scan for license compliance


OWASP’s CycloneDX

Linux Foundation’s Software Package Data Exchange (SPDX)

Tools (Excerpt)

SBoM generators

Anchore syft , Aqua Security trivy , docker-sbom , BuildKit >=0.11.0-rc1 , Kubernetes bom , Microsoft sbom-tool

Vulnerability scanners

Anchore grype , Aqua Security trivy




Using uniget

uniget install --tags sbom --plan


SBoM generation

SBoM scanning

Distribution of SBOMs

No standard available yet

What is out there

Download from website

Release asset

Separate container image with same digest and suffix

Manifest list (BuiltKit)

OCI 1.1 referrer (more later)