What is a Software Bill of Materials (SBOM) Report?

The National Telecommunications and Information Administration (NTIA) defines an SBOM as "...a formal record containing the details and supply chain relationships of various components used in building software." (https://www.ntia.gov/files/ntia/publications/sbom_faq_-_20201116.pdf)

SBOM reports are a crucial cyber security component in the software development supply chain and will soon become mandatory within the industry. In fact, a May 2021 Executive order from the President of the United States of America calls for an SBOM to accompany all pieces of software purchased by the U.S Federal Government, to be provided by the vendors of the software. (Executive Order 14028 - Improving the Nation's Cybersecurity)

SBOMs created using a SOOS SBOM Export or SBOM Manager license provide a list of open source dependencies found in the projects scanned using our SCA Scanning, Container Scanning, or SBOM Manager scanning tools. Along with a full list of the open source dependencies, SOOS provides the licenses associated with each dependency and the CVE ID of any vulnerability detected during the scan.

SBOMs are even more powerful when combined with a Vulnerability-Exploitability eXchange report. Read more about VEX in our article here: What is a Vulnerability-Exploitability eXchange (VEX) Report?