The Software Bill of Materials (SBOM) is at the heart of the Cyber Resilience Act. While the CRA does not require vendors to publish CRAs for customers, it requires vendors to create a list of all the components used to build the software.

Today, software consists up to 80% or more of Open Source software. The vendor is liable for all the components in a product sold so it’s important to have automated systems to check if there are any vulnerabilities in the third party products used.

An SBOM has many different uses, not just vulnerability management. The list of components includes not only name of every component, but also version and license.

The SBOM is not only for Open Source, it includes all commercial components acquired from vendors to build a product.

Using the SBOM to check for vulnerabilities

Many platforms use the SBOM to check for vulnerabilities. By using the name and version of each component, a check can be done in various databases including the National Vulnerabilities Database (NVD) to see if there are any reported issues with the software component. If so, a patch may be needed or an update to a fixed version. There are both commercial and open source platforms that can run these checks.

VEX – the state of components

Part of the SBOM is the Vulnerability Exploitability Exchange (VEX) data format. While it can be defined with SBOM syntax, it is often a separate file. The SBOM is signed and related to a specific version of a software. The VEX file lists all vulnerabilities found at a specific date, and may include data on mitigations, an assessment of the vulnerability’s impact on users and other information to the user.

Other bill-of-materials

In addition to Software Bill of Materials there are many complementary bill of materials:

  • CBOM: Cryptography bill of materials
  • HBOM: Hardware bill of materials
  • SASBOM: Software as a service bill of materials

Further exploration: