What Is an SBOM (Software Bill of Materials)?

A software bill of materials (SBOM) is a complete inventory of the components that make up an application, including open-source packages, their versions, and their dependencies. It exists so teams can answer a basic question fast: what is actually in this software, and is any of it vulnerable? An SBOM is only as useful as it is accurate and current.

July 15, 2026
July 15, 2026

0 min read

Application Security
SCA Security
What Is an SBOM? (Software Bill of Materials)

What is a software bill of materials?

A software bill of materials is a structured inventory of everything that goes into a piece of software: the open-source and third-party packages it uses, the exact versions, and the transitive dependencies those packages pull in. The name borrows from manufacturing, where a bill of materials lists every part in a product. In software, the parts are components, and most of them are open source that your team did not write.

The purpose is traceability. When a new vulnerability is disclosed in a popular package, the first question is whether you use it and where. Without an inventory, answering that means a scramble across every repository. With an accurate SBOM, it is a lookup.

What an SBOM includes

  • Components and versions. Each package and the specific version in use.
  • Dependency relationships. Which components pull in which others, including transitive dependencies several layers deep.
  • Licenses. The license of each component, for compliance and legal review.
  • Supplier and provenance data. Where a component came from, increasingly important for supply-chain trust.

Common formats are SPDX and CycloneDX, which make an SBOM machine-readable and shareable across tools and organizations.

Why SBOMs matter

Modern applications are mostly assembled, not written. A single direct dependency can pull in dozens of transitive ones, so the real attack surface is far larger than the code a team authored. SBOMs became a focus after high-profile supply-chain incidents showed how a compromised or vulnerable component deep in the tree can affect thousands of downstream applications. They are also increasingly expected: regulators and enterprise buyers now ask vendors for an SBOM as a condition of trust.

The limit of a traditional SBOM, and what fixes it

A standard SBOM has a blind spot: it lists what is declared, not what actually runs. A manifest can show dozens of vulnerable packages, most of which are never loaded or executed in production. Acting on the raw list means chasing vulnerabilities that pose no real risk while the genuinely exposed ones sit in the same undifferentiated pile.

Runtime context is what turns an inventory into a priority list. Kodem enriches the SBOM with runtime intelligence to produce a runtime bill of materials (RBOM): the same inventory, annotated with whether each component is actually loaded and whether its vulnerable functions execute. That is the difference between a list of everything you depend on and a short list of what is exposed and worth fixing. See how this works in runtime-powered SCA and reachability analysis, grounded in runtime intelligence.

Frequently Asked Questions

What is an SBOM?

A software bill of materials (SBOM) is a complete inventory of the components in an application, including open-source packages, their versions, dependency relationships, and licenses. It lets teams quickly answer what is in their software and whether any of it is vulnerable.

What is included in an SBOM?

Components and their exact versions, dependency relationships including transitive dependencies, license information, and supplier or provenance data. Common machine-readable formats are SPDX and CycloneDX.

Why are SBOMs important?

Modern software is mostly assembled from open-source components, so the real attack surface is larger than the code a team wrote. SBOMs let teams trace exposure when a vulnerability is disclosed, and they are increasingly required by regulators and enterprise buyers.

What is the difference between an SBOM and an RBOM?

An SBOM lists the components declared in the software. A runtime bill of materials (RBOM) adds runtime context, showing which components actually load and which vulnerable functions execute, so teams can prioritize what is genuinely exposed.

What formats are used for SBOMs?

The two most widely used standards are SPDX and CycloneDX. Both make the SBOM machine-readable so it can be generated, shared, and consumed automatically across tools and organizations.

Table of contents

Related blogs

What is an LLM Jailbreak?

What is an LLM Jailbreak?

An LLM jailbreak bypasses a model's safety guardrails to produce restricted output. How jailbreaks work, how they differ from prompt injection, and defenses.

July 15, 2026

4

What is RAG Security?

What is RAG Security?

RAG security covers the risks of retrieval-augmented generation: injection through retrieved content, data poisoning, and leakage. The threats and how to defend.

July 15, 2026

4

What is MCP Security?

What is MCP Security?

MCP security covers the risks of the Model Context Protocol connecting AI agents to tools and data. The main threats, and how to contain them at runtime.

July 15, 2026

4

Stop the waste.
Protect your environment with Kodem.

A Primer on Runtime Intelligence

See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

Platform Overview Video

Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

The State of the Application Security Workflow

This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.

3D book mockup of Kodem's State of the Application Security Workflow 2025 report

Get real-time insights across the full stack…code, containers, OS, and memory

Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.

Kodem issues list with a magnified view of insight icons: runtime, ingress, and exploitability
Combined author
Idan Bartura
Publish date

0 min read

Application Security

SCA Security