SBOM (Software Bill of Materials)
An SBOM is a machine-readable inventory of every component and dependency that makes up a piece of software — the prerequisite for vulnerability-by-component scanning at scale.
Definition
A Software Bill of Materials (SBOM) is a structured list of every component — first-party and third-party, open-source and proprietary — that ships inside a piece of software. The list typically includes component name, version, supplier, license, and a hash for integrity. SBOMs let downstream consumers run automated vulnerability matching: given a new CVE published against `openssl 3.0.4`, an organisation with SBOMs for every internal artifact can immediately answer "which of our deployed services include that exact OpenSSL version?".
The two dominant formats are SPDX (an ISO/IEC standard) and CycloneDX (an OWASP project). U.S. Executive Order 14028 (2021) made SBOMs a requirement for software sold to the federal government, kicking off broad ecosystem adoption.
Mitigation
Not applicable — SBOM is a process / artefact, not a vulnerability.