SBOM

SBOM (Software Bill of Materials) is a formal, machine-readable inventory of every software component — including transitive open-source dependencies, licenses, and versions — embedded in a delivered product. SBOMs were thrust into the mainstream by US Executive Order 14028 and the EU Cyber Resilience Act, and they are now an expected deliverable for any connected product alongside the EBOM and MBOM.

What it covers

• Component inventory with name, version, supplier, hash, and license per package.
• Dependency graph capturing transitive relationships between components.
• Standard formats — SPDX (ISO/IEC 5962) and CycloneDX are the two dominant exchange formats.
• VEX (Vulnerability Exploitability eXchange) companion documents stating whether a known CVE is actually exploitable in the product.
• Lifecycle linkage — SBOMs are produced at build time, attached to releases, and consumed by procurement and SOC teams.

Relationships (see sidebar)

• Conforms to CMMC (and EO 14028 / EU CRA expectations referenced there).
• Dependency of the ALM Traceability and Product Structure capabilities — connected products need a software-bill view alongside the hardware bills.
• Supports the Release Management and Regulatory Submission processes.
• Complements the EBOM / MBOM for connected, software-defined products.