Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) is a structured inventory of all components, libraries, dependencies, and modules that make up a software product. It lists each component with its version, licence, supplier, and known vulnerabilities. SBOMs come in standard formats — CycloneDX (OWASP standard, preferred for cybersecurity), SPDX (ISO/IEC 5962 standard, preferred for licence compliance), and SWID (ISO/IEC 19770-2). SBOMs are required by the EU Cyber Resilience Act, DORA, and increasingly demanded by enterprise buyers for supply chain cybersecurity due diligence.

Modern software products are composed primarily of open-source and third-party components — often 80-90% of the codebase. Without an SBOM, organisations don't know what's in their software, making it impossible to assess cybersecurity risk, manage licence obligations, or respond to vulnerability disclosures. The EU Cyber Resilience Act (CRA) makes SBOMs mandatory for any product with digital elements sold in the EU — requiring manufacturers to maintain component inventories and report vulnerabilities. DORA requires financial entities to maintain ICT asset registers that include software component inventories. Enterprise buyers increasingly require SBOMs as a condition of procurement, making them essential for market access in the B2B software market.

CycloneDX SBOMs are the OWASP-recommended format for cybersecurity compliance — they include component inventories, dependency graphs, vulnerability references (via integration with vulnerability databases), and supply chain relationship data. SPDX SBOMs are the ISO/IEC 5962 standard format focused on software package metadata, licence information, and security references — preferred for open source licence compliance and software transparency. Vulnerability disclosure reports document coordinated vulnerability disclosure policies, bug bounty programmes, and known vulnerability registers — required by CRA Article 13 for manufacturer security obligations. Open source licence registries track component licences (MIT, GPL, Apache, etc.) and compliance status — essential for software distribution compliance and IP governance.

SBOM files in CycloneDX, SPDX, or CSV format are uploaded to Sustalium. The system extracts component inventories, dependency relationships, licence information, and vulnerability references — mapping them to the relevant compliance frameworks. Component data feeds into CRA compliance records (Article 13 vulnerability reporting obligations), DORA ICT registers (software asset inventory requirements), and GDPR software supply chain due diligence. Licence information supports open source compliance and IP governance documentation. Vulnerability data drives ongoing vulnerability management processes. SBOM data is linked to product SKUs and version management, enabling product-level compliance tracking across the software portfolio.

The EU Cyber Resilience Act (CRA) is the primary regulatory driver — it requires manufacturers of products with digital elements to create and maintain SBOMs, report vulnerabilities, and ensure components are free from known exploitable vulnerabilities. DORA (Digital Operational Resilience Act) requires financial entities to maintain comprehensive ICT asset registers that include software component inventories. GDPR Article 32 requires appropriate security measures for personal data processing — SBOMs help assess and document the security of software processing personal data. The EU AI Act requires software component documentation for high-risk AI systems. ISO 27001 Annex A control A.8.8 requires management of technical vulnerabilities — SBOMs are the foundation. US Executive Order 14028 mandates SBOMs for all software sold to the US government.