<!-- Source: https://melinasecurity.com/knowledge/glossary/sbom/  License: CC BY 4.0 with attribution to Melina Security  Last-updated: 2026-06-12 -->

# SBOM

**slug:** `sbom` · **URL:** `/knowledge/glossary/sbom/` · **category:** Supply Chain Security · **reviewer:** Tatiana K.

### Definition

SBOM (Software Bill of Materials) is a machine-readable inventory of the software components, dependencies, and metadata that make up an application or firmware. It is the software-equivalent of a manufacturing bill of materials and is increasingly required by procurement frameworks and government regulation.

### What it means

SBOMs catalog every component of a software system: third-party libraries, open-source dependencies, internal modules, build-time vs runtime dependencies, license metadata, and (in advanced formats) cryptographic hashes for integrity verification. Standard formats include SPDX (Software Package Data Exchange) and CycloneDX. The U.S. Executive Order 14028 (May 2021) mandated SBOMs for federal software procurement, accelerating adoption.

For connected-device manufacturers, SBOMs serve three primary purposes: vulnerability disclosure (when a CVE appears in a dependency, you know which products are affected without manual investigation), procurement compliance (FedRAMP, ENISA, and China MLPS Level 3+ increasingly require them), and supply-chain auditability (verifying that what you ship matches what you expect, especially for embedded firmware where dependencies are often opaque).

In offensive-security assessment, SBOMs are both an asset (when the client provides one) and a deliverable. We use client SBOMs to scope vulnerability hunting; when one is missing, we generate one through firmware analysis using tools like [Syft](https://github.com/anchore/syft) or commercial alternatives, then deliver the SBOM alongside the security report.

The natural extension into hardware is the Hardware Bill of Materials (HBOM), which inventories chips, sub-systems, and electronic components. HBOM is less mature than SBOM as a standard but gaining traction in regulated industries (medical devices, automotive).

### Where it appears at Melina

Standard scope item in [IoT & Embedded Security](/services/iot-embedded-security/), [Architecture & Cloud Review](/services/architecture-cloud-review/), and the [Supply-Chain Security solution](/solutions/supply-chain-security/) (P1.5).

### Related terms

- [CVE](/knowledge/glossary/cve/)
- [CWE](/knowledge/glossary/cwe/)
- [SPDX](/knowledge/glossary/spdx/) (P1.5)
- [CycloneDX](/knowledge/glossary/cyclonedx/) (P1.5)

### Authoritative sources

- [CISA SBOM resources](https://www.cisa.gov/sbom)
- [NTIA SBOM minimum elements](https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report.pdf)
- [SPDX 2.3 specification](https://spdx.github.io/spdx-spec/)
- [CycloneDX 1.5 specification](https://cyclonedx.org/specification/overview/)

---