Software bill of materials

• https://cyclonedx.org/
• https://spdx.org/licenses/
• https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1
• https://ntia.gov/blog/ntia-releases-minimum-elements-software-bill-materials
• https://www.cisa.gov/sbom

device          \
library/tool     -- Component \
application     /              \
                                \
owned           \                \
3rd party        -- Component      -- Project/Product
open source     /                /
                                /
licenses        \              /
vulnerabilities  -- Component /
state           /

CDX Composition

• Generate Micro SBOMs manually or automatically.
• Collect all micro SBOMs
• Collect all components
• Remove duplications
• Reflect dependency graph