Glossary

Software Bill of Materials (SBOM)

An SBOM is a machine-readable inventory of every component in a piece of software — each dependency, its version, and its license. It's what lets you answer 'are we affected?' in minutes when the next critical CVE drops.

A Software Bill of Materials is to software what an ingredients list is to food: a complete, structured manifest of every component that went into the build, including transitive dependencies, with versions and licenses. The common formats are CycloneDX and SPDX.

The reason SBOMs went from nice-to-have to mandated (US Executive Order 14028, and increasingly enterprise procurement) is incident response. When Log4Shell broke, the teams that could answer 'do we ship a vulnerable Log4j, and where' in minutes had an SBOM; everyone else spent days grepping build logs. An SBOM turns that question into a lookup.

An SBOM is only useful if it's current and verifiable, so it's generated as part of the build and stored alongside the artifact — not written by hand after the fact.

How GateTest handles it

GateTest exposes an SBOM endpoint and inventories dependencies as part of a scan, so the components it's reasoning about are enumerated rather than implicit. Paired with the dependencies and CVE-feed modules, the same inventory drives 'are we affected' answers and version-bump fixes.

Related modules: dependencies, cveFeed

Frequently asked questions

Why do I need an SBOM?

So you can answer 'are we affected?' immediately when a new critical CVE is disclosed. An SBOM is a complete, machine-readable inventory of your components and versions, which turns incident response from a multi-day grep into a lookup. It is also increasingly required by regulation and enterprise procurement.

What formats are SBOMs in?

The two widely-used standards are CycloneDX and SPDX. Both are machine-readable and list every component, its version, and its license, including transitive dependencies.

See SBOM on your own repo

Free preview of findings. Pay per scan — no subscription. AI auto-fix PR on the Scan + Fix tier.

Related terms