SBOM Basics: Introduction to Software Composition Specifications

1. What this chapter covers

In this chapter you will learn what an SBOM is, its minimum required elements, the main formats, and the SBOM ecosystem.

There is no hands-on work. Just read and understand.

This background will serve as the basis for creating a real SBOM in later chapters. The goal is to understand "Why are we using this tool?" and "What is this file?" before you run a command.

2. What is an SBOM?

Definition

An SBOM (Software Bill of Materials) is a list of every component included in a piece of software. It enumerates all the ingredients that make up the software, including open source libraries, frameworks, runtimes, and build tools.

The food ingredient list analogy

A food package lists "flour, sugar, eggs, butter..." An SBOM is the ingredient list for software.

"This software includes React 18.2.0, axios 1.4.0, and log4j 2.14.0."

Consumers — suppliers, customers, and regulators — read this list to check safety and licensing.

What you cannot answer without an SBOM

Without an SBOM, the following questions are hard to answer.

Situation	Problem
License audit	You risk a license violation because you do not know what open source is in use
Disclosure of a vulnerability like Log4Shell	You cannot immediately tell whether your products are affected
SBOM request from a customer	A delivery contract stalls because you cannot provide one
Supply chain audit	You have no record of the components in use

3. SBOM minimum required elements (based on NTIA)

The U.S. National Telecommunications and Information Administration (NTIA) has defined seven minimum elements that SBOM must include.

Element	English name	Description	Example
Supplier name	Supplier Name	Organization or individual that created the component	Apache Software Foundation
Component name	Component Name	Package or library name	log4j-core
Version	Version	Exact version string	2.14.1
Unique identifier	Other Unique Identifiers	CPE, PURL, hash, etc.	`pkg:maven/org.apache.logging.log4j/log4j-core@__ISO13__`
Dependency relationship	Dependency Relationship	Relationships with other components	spring-boot depends on log4j-core
SBOM author	Author of SBOM Data	The tool or person that created the SBOM	syft v0.86.0
Timestamp	Timestamp	Date and time the SBOM was created	2024-01-15T09:30:00Z

This step satisfies the conceptual understanding required by ISO/IEC 18974 [G3B.1 Background].

What is a unique identifier (PURL)?

A Package URL (PURL) is a standard format that uniquely identifies a package worldwide.

pkg:{type}/{namespace}/{name}@{version}

Examples:

pkg:npm/lodash@__ISO13__ — npm package
pkg:pypi/requests@__ISO13__ — Python package
pkg:maven/org.springframework/spring-core@__ISO13__ — Java Maven package

With a PURL, you can automatically match components against vulnerability databases (NVD, OSV) to find CVEs.

4. SBOM format comparison

Two standard formats are mainly used in the industry today.

Item	SPDX	CycloneDX
Maintained by	Linux Foundation	OWASP
Latest version	2.3	1.5
Strengths	License compliance focus, ISO/IEC 5962 standard	Security-specific fields, supports JSON/XML/Protobuf
Tooling	fossology, reuse, spdx-tools	syft, cdxgen, Dependency-Track
Main uses	License audit, open source contribution	Security vulnerability analysis, supply chain security

Why this kit uses CycloneDX

Rich tool support: both syft and cdxgen produce CycloneDX as their default output.
Security-specific fields: vulnerability information (VEX) can be embedded directly in the SBOM.
JSON format: easy for humans to read and easy to wire into CI/CD pipelines and APIs.
Dependency-Track integration: works seamlessly with the SBOM management platform.

5. The SBOM ecosystem

An SBOM does not stand alone. It flows through a cycle of creation → management → analysis → sharing.

The generation tools

syft

Maintained by: Anchore
Purpose: generate an SBOM from Docker images, containers, and filesystems
Strengths: simple to install and automatically detects a wide range of language runtimes
Command: syft <target> -o cyclonedx-json

cdxgen

Maintained by: OWASP
Purpose: analyze package manifests in source code directories
Strengths: automatically recognizes language-specific files such as package.json, pom.xml, and requirements.txt
Command: cdxgen -o bom.json

You will practice with both tools in chapter 05-tools/sbom-generation.

6. Frequently asked questions

Q: If I publish an SBOM, won't it expose my company's proprietary technology?

A: An SBOM lists the open source you use, not your proprietary code. All it reveals is "which open source libraries do you use?" Most of your competitors already use the same libraries, so it gives away no competitive advantage.

Q: Does software with no open source still need an SBOM?

A: In practice, purely proprietary software is extremely rare. Build tools, runtimes, and even standard libraries are often open source. Once you generate an SBOM, you will usually find more open source components than you expected.

Q: How often should an SBOM be updated?

A: We recommend updating it at least once per release. Integrate it into your CI/CD pipeline to keep it current automatically. ISO/IEC 18974 requires the SBOM to be kept up to date.

Q: What should I do if a customer requests an SBOM?

A: By following this kit, you can generate an SBOM in CycloneDX JSON format. If the customer requires a different format, you can use a conversion tool or coordinate with your open source lead to adjust.

7. Completion checklist

I can explain what an SBOM is and why it is needed
I know the 7 NTIA minimum elements
I understand the difference between SPDX and CycloneDX
I understand the SBOM ecosystem (creation → management → analysis → sharing)

8. Next steps

Having read this document, you now have a solid grasp of SBOM concepts and the surrounding ecosystem.

Next, go to docs/01-setup/ to prepare your lab environment. Once you have installed syft, cdxgen, and Dependency-Track, you can begin the hands-on work in earnest.

Bash
# next step
cd docs/01-setup