SBOM security checker
Check your software bill of materials (SBOM) for packages with security vulnerabilities and legal issues. Automate and integrate your entire SBOM management process into developer workflows with Snyk.
Sign up for free to unlock the the full power of Snyk, no credit card required.
3 reasons why you need to maintain a secure and up-to-date SBOM
Develop faster
Maintaining an up-to-date SBOM is crucial to also keep up with rapid software development, in which components and their versions are swiftly changing.
Reduce technical debt
As a developer who uses open source software libraries, you will be the one who will need to move to a different library if license issues arise.
Boost compliance
SBOMs are an important part of a 2022 Executive Order on software supply chain security — meaning SBOM security is going to stay in focus in coming years.
Frequently asked questions
What is a software bill of materials?
A software bill of materials (SBOM) is a complete list of all software components used across an organization. The software bill of material list is made up of third-party open source libraries, vendor provided packages and first-party artifacts built by the organization.
Why do I need to build an SBOM?
An SBOM is essentially an inventory of all of the software components you utilize in your applications. Along with proper security tools (like software composition analysis), an SBOM helps provide clear visibility into the license and security risks associated with software you are building or consuming. Maintaining an up-to-date SBOM format compliant software bill of materials is crucial to also keep up with rapid software development, in which components and their versions are swiftly changing.
Which SBOM standard should I use?
CycloneDX and SPDX are the two most used SBOM standards when it comes to security. You should choose which one to use based on the needs of your project, and you can even choose to implement both. It’s unlikely that we will have a single, set standard for SBOMs anytime soon, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and others stating that they expect multiple formats to be around for some time.
What is CycloneDX?
OWASP CycloneDX is a software bill of material (SBOM) standard designed for application security contexts and supply chain component analysis, providing an inventory of all first-party and third-party software components. The specification is rich and extends beyond software libraries, to standards such as software as a service bill of materials (SaaSBOM), Vulnerability Exploitability Exchange (VEX) and more. The standard is an Apache 2.0 licensed open source project and is open for collaboration at the following open source GitHub repository: https://github.com/CycloneDX/specification.
What is SPDX?
SPDX from The Linux Foundation is another standard for SBOMs that allows the expression of components, licenses, copyrights, security references and other metadata relating to software. SPDX aims to reduce redundant work by making it easy to share important data in a common format, leading to improved compliance, security and dependability. SPDX is a grassroots open source project hosted by the Linux foundation. The full SPDX specification is available here, as well as the SPDX Github repository.
Maintain a secure and up-to-date open source SBOM
By logging in or signing up, you agree to abide by our policies, including our Terms of Service and Privacy Policy