An SBOM is a formal, structured record that not only details the components of a software product, but also describes their supply chain relationship. An SBOM outlines both what packages and libraries went into your application and the relationship between those packages and libraries and other upstream projects—something that’s of particular importance when it comes to reused code and open source.
You might be familiar with a bill of materials for an automobile. This is a document that goes into great detail about every component that makes your new car run. The auto supply chain is notoriously complex, and even though your car was assembled by Toyota or General Motors, many of its component parts were built by subcontractors around the world. The bill of materials tells you where each of those parts came from, and that knowledge isn’t just an interesting bit of trivia. If a certain production run of airbags has been recalled, car manufacturers need a quick way to know where those particular airbags ended up.
To read this article in full, please click here
