What fields are included in an SBOM?
An SBOM (Software Bill of Materials) is a structured overview that provides insight into every part of a software product. Here are some examples of what may be included:
| Field | Example |
|---|---|
| Component name | react, express, openssl |
| Version | 10.2.3, v4.17.1, 1.1.1k |
| License information | MIT, GPLv3, Apache 2.0 |
| Dependencies | Other libraries or modules |
| Vulnerability data | CVE information, patch status |
| Manufacturing information | Manufacturer or supplier (e.g. Red Hat) |
| Metadata & Configuration | Build environment, environment variables, etc. |
Below is a brief description of each part.
Component name
It identifies libraries, modules or frameworks used in the software. By naming each component, you can quickly find and refer to it during updates or troubleshooting.
Version
Specifies exactly which version of each component is included. This is crucial for tracking changes, security updates and compatibility issues.
License information
Shows which license applies to each component, for example open source or proprietary licenses. This helps organizations meet legal requirements and avoid license conflicts.
Dependencies
Highlights both direct and indirect dependencies. This way you get a complete picture of how software components are intertwined and how a potential update of one component can affect the rest of the system.
Vulnerability data
Contains information about known vulnerabilities, risk levels and possible measures. This allows organizations to quickly respond to security threats and reduce the risk of attacks.
Manufacturing information
Specifies which manufacturer or supplier is behind a certain component. It increases traceability and helps verify that components come from reliable sources.
Metadata and configuration
May include configuration settings, build environment or other relevant details that show how the software is built and how components are used in different environments.