Brussels / 4 & 5 February 2023


The 7 key ingredients of a great SBOM

Ensuring your SBOM includes enough data to be actionable

SBOMs vary wildly in the data they offer to consumers and to make the truly useful we need to consider seven important points in their contents. Let's immerse ourselves into real-world software bill of materials data to look for the required features all great SBOMs ought to have.

As a record of components, SBOMs can vary wildly in how they describe software. Some SBOMs lean toward security and some toward licensing. Some do a good job in their own niche, while others do not even offer enough information to even understand what it is they are talking about.

In this talk, we will try to visit the 7 key data points (syntactic correctness, dependencies, licensing, semantic structure, software identifiers, supplier data, and software integrity info) required to make sure your SBOM is useful to the widest possible audience. We will take an inner look into real-world SBOMs using the Kubernetes bom outliner. We will inspect how they are structured, and the data they offer looking for clues on how we could improve them with the goal of learning what a great Software Bill of Materials looks like.


Photo of Adolfo García Veytia Adolfo García Veytia