The National Telecommunications and Information Administration (NTIA) defines an SBOM as "...a formal record containing the details and supply chain relationships of various components used in building software." (https://www.ntia.gov/files/ntia/publications/sbom_faq_-_20201116.pdf)
SBOM reports are a crucial cyber security component in the software development supply chain and will soon become mandatory within the industry. In fact, a May 2021 Executive order from the President of the United States of America calls for an SBOM to accompany all pieces of software purchased by the U.S Federal Government, to be provided by the vendors of those softwares. (Executive Order 14028 - Improving the Nation's Cybersecurity)
SBOMs created using SOOS provide a list of open source dependencies found in the projects scanned using our Software Composition Analysis (SCA) tool. Along with a full list of the open source dependencies, SOOS provides the licenses associated with each dependency and the CVE ID of any vulnerability detected during the scan.
For more information about SOOS SBOMS, the following articles have more to share:
- What information is included in the Software Bill of Materials report?
- What format does SOOS use to generate the SBOM file?
SBOMs are even more powerful when combined with a Vulnerability-Exploitability eXchange report! Read more about them in our article here: What is a Vulnerability-Exploitability eXchange (VEX) report?