What is a Software Bill of Materials (SBOM) Report?

the national telecommunications and information administration ( ntia ) defines an sbom as " a formal record containing the details and supply chain relationships of various components used in building software " ( https //www ntia gov/files/ntia/publications/sbom faq 20201116 pdf ) sbom reports are a crucial cyber security component in the software development supply chain and will soon become mandatory within the industry in fact, a may 2021 executive order from the president of the united states of america calls for an sbom to accompany all pieces of software purchased by the u s federal government, to be provided by the vendors of the software ( executive order 14028 improving the nation's cybersecurity ) sboms created using a soos sbom export or sbom manager docid\ mj1iszs7wxngdftuged4m license provide a list of open source dependencies found in the projects scanned using our sca scanning docid 28htkl gfqpslk7pwny1h , container scanning docid\ b07oiqdkec7jjdmmedfns , or sbom manager docid\ mj1iszs7wxngdftuged4m scanning tools along with a full list of the open source dependencies, soos provides the licenses associated with each dependency and the cve id of any vulnerability detected during the scan sboms are even more powerful when combined with a vulnerability exploitability exchange report read more about vex in our article here what is a vulnerability exploitability exchange (vex) report? docid\ xhoefh rbmtzlwjwvjlmg