{"id":22285,"date":"2026-07-14T11:00:00","date_gmt":"2026-07-14T11:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/07\/14\/what-is-sbom-software-bill-of-materials\/"},"modified":"2026-07-16T17:26:43","modified_gmt":"2026-07-16T17:26:43","slug":"what-is-sbom-software-bill-of-materials","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/14\/what-is-sbom-software-bill-of-materials\/","title":{"rendered":"What Is an SBOM? The Software Bill of Materials"},"content":{"rendered":"<div class=\"st-definition\">\n<p><strong>What is a Software Bill of Materials (SBOM)?<\/strong> A SBOM, short for Software Bill of Materials, is a machine\u2011readable bill of materials listing all components, libraries, and dependencies of a software package, including their versions. It answers the question of what a product is actually made of. Since the Log4Shell vulnerability and with the Cyber Resilience Act, the SBOM has moved from a nice\u2011to\u2011have to a reliable requirement for manufacturers.<\/p>\n<\/div>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">What it is:<\/strong> A complete, machine\u2011readable list of all software components, comparable to an ingredients list.<\/li>\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Purpose:<\/strong> When a new vulnerability emerges, you can check within minutes-rather than days-which products contain the affected component.<\/li>\n<li style=\"margin-bottom:0;\"><strong style=\"color:#69d8ed;\">Why now:<\/strong> The Cyber Resilience Act (EU Cyber Resilience Act) makes transparency about software components a manufacturer requirement, phased in through 2027.<\/li>\n<\/ul>\n<\/div>\n<h2>Why is an SBOM actually needed?<\/h2>\n<p>Modern software consists largely of foreign code: open-source libraries, frameworks and dependencies that themselves bring further dependencies. Without a bill of materials, often no one knows exactly what is in a product. This very blindness became a problem with Log4Shell when the widely used library Log4j had a critical vulnerability.<\/p>\n<p>The key question at the time in every company was: Which of our applications actually contain Log4j? Those who maintain an SBOM for each product answer this via a query. Those who do not have one have to search manually through the entire software landscape. An SBOM turns a days\u2011long search into a targeted check.<\/p>\n<div data-element=\"key_number\" style=\"background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:28px 24px;margin:32px 0;text-align:center;\">\n<div style=\"font-size:1.6em;font-weight:800;color:#69d8ed;line-height:1.05;word-break:keep-all;\">Log4Shell<\/div>\n<p style=\"margin:10px 0 0;font-size:0.92em;color:#e6e3da;\">The vulnerability CVE-2021-44228 in the library Log4j made 2021 visible how few organizations know their software components<\/p>\n<p style=\"margin:6px 0 0;font-size:0.78em;color:#8fa3ab;\">Source: NIST NVD \/ BSI<\/p>\n<\/div>\n<h2>What Constitutes a Viable SBOM<\/h2>\n<p>An SBOM is more than a PDF attachment. To add value, it must be machine\u2011readable and can be evaluated automatically. Two formats have become established: SPDX from the Linux ecosystem and CycloneDX from the application security domain. Both describe components, versions, and relationships in a structured way.<\/p>\n<p>What\u2019s crucial is also currency. An SBOM that is created only at release and never updated becomes obsolete with each change. It makes sense to generate it automatically during the build process, so each version gets its own accurate bill of materials. Only then can a new vulnerability be reliably matched against the inventory.<\/p>\n<div data-element=\"checklist\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:22px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 12px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">Getting Started with SBOM<\/p>\n<ul style=\"margin:0;padding-left:0;list-style:none;\">\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Automatically generate SBOMs in the build process, don\u2019t maintain them manually<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Choose a machine\u2011readable format, such as SPDX or CycloneDX<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Store SBOMs centrally and compare them with vulnerability data<\/li>\n<li style=\"margin:0 0 0;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Require an SBOM from purchased software<\/li>\n<\/ul>\n<\/div>\n<h2>What the Cyber Resilience Act Changes<\/h2>\n<p>The Cyber Resilience Act (Verordnung (EU) 2024\/2847) requires manufacturers of products with digital elements to ensure security throughout the product lifecycle. Annex I, Part II explicitly requires manufacturers to create a Software Bill of Materials (SBOM) in a commonly machine\u2011readable format that covers at least the top\u2011level components and dependencies. It is part of the technical documentation and must be available to regulators, without mandating publication to end users.<\/p>\n<p>The requirements are phased in: reporting obligations for actively exploited vulnerabilities and severe incidents apply from September 11, 2026, and the remaining CRA obligations from December 11, 2027. For manufacturers, this means setting up the SBOM as a permanent part of the development process. Those who integrate it early can meet upcoming obligations with far less effort than retrofitting later.<\/p>\n<h2>How an SBOM Stays Alive in Operations<\/h2>\n<p>An SBOM only reveals its value during active operation. New vulnerabilities emerge daily, so the bill of materials must be continuously cross\u2011checked against up\u2011to\u2011date vulnerability databases. Only this automated comparison turns a static list into an early\u2011warning system that instantly flags affected products whenever a new flaw appears.<\/p>\n<p>Additionally, the VEX (Vulnerability Exploitability eXchange) concept has gained traction. It allows manufacturers to indicate whether a vulnerability listed in the SBOM can actually be exploited in a specific product. This prevents false alarms when a vulnerable library is present but the vulnerable code isn\u2019t actually used. Together, SBOM and VEX provide a realistic picture of the true attack surface.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Every question is locked. A tap unlocks the answer.<\/p>\n<details>\n<summary><strong>What is the difference between SPDX and CycloneDX?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Both are established SBOM formats. SPDX originates from the open-source realm and is widely standardized, while CycloneDX comes from application security. Both are machine-readable and suitable for matching with vulnerability data.<\/p>\n<\/details>\n<details>\n<summary><strong>Will the Cyber Resilience Act make SBOMs mandatory?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Yes. Annex I Part II of Regulation (EU) 2024\/2847 obliges manufacturers to create and retain a machine-readable Software Bill of Materials (SBOM) in the technical documentation. Public release to end customers is not required.<\/p>\n<\/details>\n<details>\n<summary><strong>Is a single SBOM sufficient per product?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">No. Each software version should have its own SBOM, because components and versions change with every update. It is best generated automatically in the build process.<\/p>\n<\/details>\n<details>\n<summary><strong>Does an SBOM help against attacks?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">It does not prevent an attack, but it significantly shortens the response time. When a new vulnerability emerges, the SBOM instantly shows which products are affected, instead of triggering a lengthy manual search.<\/p>\n<\/details>\n<details>\n<summary><strong>Should one require SBOMs from suppliers?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Yes. Anyone buying or integrating software should request an SBOM to gain visibility into their own supply chain. Without this information, part of the risk remains invisible.<\/p>\n<\/details>\n<p><!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/15\/two-joomla-upload-vulnerabilities-added-to-cisa-kev\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/joomla-icagenda-balbooa-kev-upload-rce-cover-hero-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Two Joomla Upload Vulnerabilities Added to CISA KEV<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/08\/concentration-risk-fourth-party-supply-chain\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/konzentrationsrisiko-vierte-partei-lieferkette-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">The concentration risk no supplier audit sees<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.digital-chiefs.de\/en\/five-points-where-supply-chain-software-fails\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-fuenf-stellen-an-denen-supply-chain-soft-63885613-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Five Points Where Supply Chain Software Fails<\/span><\/span><\/a><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/07\/16\/what-the-mittelstand-can-really-take-over-by-2026\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-flexera-2026-was-der-mittelstand-wirklic-55519903.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">What the Mittelstand can really take over by 2026<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/en\/digital-product-passport-what-manufacturers-must-do\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-digitaler-produktpass-hersteller-pflicht-48690623-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Digital Product Passport: What Manufacturers Must Do<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"An SBOM is a machine-readable inventory of all software components. The Cyber Resilience Act makes it a manufacturer requirement.","protected":false},"author":10,"featured_media":22256,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"software bill of materials","_yoast_wpseo_title":"What Is an SBOM? The Software Bill of Materials","_yoast_wpseo_metadesc":"An SBOM is a machine-readable inventory of all software components. The Cyber Resilience Act mandates it for manufacturers.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-eine-sbom-cover-hero.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-eine-sbom-cover-hero.jpg","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","evm_external_preview_token":"","evm_external_preview_expires":"","_evm_translation_lang":"en","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[263],"tags":[],"class_list":["post-22285","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sicherheitslexikon-en"],"evm_reading_time_minutes":5,"wpml_language":"en","wpml_translation_of":22021,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=22285"}],"version-history":[{"count":1,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22285\/revisions"}],"predecessor-version":[{"id":22293,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22285\/revisions\/22293"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/22256"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=22285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=22285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=22285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}