What an SBOM actually is

A Software Bill of Materials (SBOM) is a structured document that lists all components an application is built from: libraries, frameworks, their versions, licenses and dependencies. The analogy with food product ingredient lists is precise — just as you can check what a food product contains, an SBOM lets you check what a piece of software is made of.

The format matters. CycloneDX and SPDX are the two dominant standards. Both are machine-readable (JSON, XML), which means they can be automatically analyzed, compared and audited. A PDF with a list of libraries is not an SBOM — it is a document that cannot be processed programmatically.

Why it matters now

Three forces are converging: regulation, market requirements and supply chain attack frequency.

US Executive Order 14028 (2021) introduced the requirement for SBOM in software sold to the federal government. The EU Cyber Resilience Act (CRA), expected to take full effect by 2027, will require SBOM for all digital products placed on the EU market. NIS2 Art. 21 requires supply chain security management — and SBOM is the foundational artifact for that.

Separately from regulation, Enterprise clients increasingly demand SBOM as part of procurement processes. The question “can you provide an SBOM for each release?” is appearing in Vendor Risk Assessment questionnaires with growing frequency.

The operational reality

Organizations that don’t have automated SBOM generation as part of their build process face a manual inventory problem that is practically impossible to maintain. A modern application with 200+ transitive dependencies changes its composition with every dependency update. Manual tracking at this scale is fiction.

Pipeline-integrated tools (Syft, Trivy, Grype) generate SBOMs automatically at build time, attach them to the container image and archive them. The cost of adding this step to a pipeline is measured in minutes of configuration — the cost of not having it is measured in lost contracts and regulatory non-compliance.

Market signalAn increasing number of RFPs from large organizations include the requirement to deliver an SBOM with every software release. This is not a future requirement — it is a present requirement for Enterprise sales.

SBOM and vulnerability management

The operational value of SBOM goes beyond compliance documentation. When a new CVE is published (e.g., a critical vulnerability in a popular library), SBOM allows answering the question “are we affected?” in seconds rather than days. Without SBOM, the answer requires manual investigation of every application — a process that doesn’t scale.

Read also:

SBOMSupply ChainNIS2Tools