What is a Software Bill of Materials (SBOM) Report?

the national telecommunications and information administration ( https //www ntia gov/ ) defines an sbom as " a formal record containing the details and supply chain relationships of various components used in building software " ( https //www ntia gov/files/ntia/publications/sbom faq 20201116 pdf ) sbom reports are a crucial cyber security component in the software development supply chain and will soon become mandatory within the industry in fact, a may 2021 executive order from the president of the united states of america calls for an sbom to accompany all pieces of software purchased by the u s federal government, to be provided by the vendors of the software ( https //www federalregister gov/executive order/14028 ) sboms created using a soos sbom export or docid\ mj1iszs7wxngdftuged4m license provide a list of open source dependencies found in the projects scanned using our docid 28htkl gfqpslk7pwny1h , docid\ b07oiqdkec7jjdmmedfns , or docid\ mj1iszs7wxngdftuged4m scanning tools along with a full list of the open source dependencies, soos provides the licenses associated with each dependency and the cve id of any vulnerability detected during the scan sboms are even more powerful when combined with a vulnerability exploitability exchange report read more about vex in our article here docid\ xhoefh rbmtzlwjwvjlmg