If you’ve been around the computing industry lately, you’ve probably brushed against the term SBOM at some point or another. By now, it is common knowledge that a Software Bill of Materials is becoming an increasingly expected requirement from software releases. Reading through blog posts and social media, there still seems that some confusion persists about what an SBOM can/could do for your project. This post tries to lay down some basic facts about SBOMs and how they can help you and your project become a better citizen of the global software supply chain.
Have you ever noticed the packing slips attached to the sides of parcels when the UPS truck drops them? These packing slips contain several pieces of information that describe what is actually inside the box you are getting. It contains data about where it came from: the sender’s address, the time it was mailed, sometimes data about international customs the shipment may have traversed. It also contains data about the contents: it will generally contain a list of what is enclosed in the box, the quantities, the cost, and some other data which may prove helpful when checking if all your stuff is in there and it matches your order. The slip may also list some metadata about the manufacturing process that brought to life your items: lot number, model or generation of your product, serial number, and so on.
A Software Bill of Materials allows consumers and developers to do the same with software components plus a lot more. An SBOM is an electronic packing slip but with some additional superpowers!