DevOps Glossary

Software Bill of Materials (SBOM) is a structured inventory of the components used to build a software application, service, container image, or release. In practical terms, an SBOM helps engineering, security, and operations teams identify which open source libraries, third-party packages, container layers, licenses, and internal components are present, often including names, versions, suppliers, hashes, and dependency relationships. Teams use SBOMs to answer questions such as “Are we using a vulnerable version of Log4j?”, “Which products include this package?”, or “What licenses apply to this release?” Common SBOM formats include SPDX and CycloneDX, and SBOMs are often generated during CI/CD builds, container image scans, package analysis, or release signing workflows. An SBOM improves vulnerability response, supply chain transparency, license review, and compliance work, but it still needs accurate generation, regular updates, and vulnerability matching to be useful. For example, after a critical CVE is announced in a Java library, a security team can search SBOMs across deployed services to find affected versions and prioritize fixes.