This chapter covers Software Bill of Materials (SBOM), a critical component of vulnerability management and software supply chain security. SBOMs are explicitly tested in CompTIA CySA+ CS0-003 under Objective 2.4 (Vulnerability Management). Expect 2-3 questions on the exam that test your understanding of SBOM structure, use cases, and integration with vulnerability management workflows. Mastery of SBOM concepts is essential for identifying and mitigating risks from third-party and open-source components.
Jump to a section
Imagine a large restaurant chain that produces a signature burger. The burger's recipe includes a bun from Baker A, a beef patty from Supplier B, cheese from Dairy C, and a special sauce made from 10 ingredients sourced from four different vendors. If a supplier issues a recall—say, Baker A discovers a batch of buns contaminated with listeria—the restaurant needs to know immediately which burgers contain that specific bun lot. Without a detailed ingredient list (a "bill of materials"), the restaurant would have to shut down all locations and manually trace every burger, losing revenue and risking customer health. A Software Bill of Materials (SBOM) works exactly the same way: it is a machine-readable inventory of all software components (open-source libraries, third-party APIs, and their versions) that make up an application. When a vulnerability like Log4Shell (CVE-2021-44228) is announced, an organization can query its SBOMs to find every application that includes the vulnerable version of Log4j, just as the restaurant checks its ingredient list to find every burger with the contaminated buns. Without an SBOM, security teams must manually inspect code repositories, package managers, and deployment manifests—a slow, error-prone process that leaves the organization exposed. The SBOM enables automated, rapid response to supply chain vulnerabilities, making it a cornerstone of modern software supply chain security.
What is an SBOM and Why Does It Exist?
A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of all components—including open-source libraries, third-party modules, and their versions—that constitute a software application. The concept is analogous to a bill of materials used in manufacturing, which lists every part required to build a product. In software, the SBOM provides transparency into the supply chain, enabling organizations to quickly identify and respond to vulnerabilities in their dependencies.
The need for SBOMs became urgent after high-profile supply chain attacks such as SolarWinds (2020) and the Log4j vulnerability (2021). In the SolarWinds attack, malicious code was inserted into a legitimate software update, affecting thousands of customers who had no way to inventory the components of the software they were using. Similarly, Log4j (CVE-2021-44228) was a critical remote code execution vulnerability in the widely used Apache Log4j logging library. Organizations scrambled to find all instances of Log4j in their environments—a task that took weeks for many due to lack of component visibility. SBOMs solve this problem by providing a standardized, queryable list of components.
How SBOMs Work Internally
An SBOM is typically generated during the software build process. Build tools (e.g., Maven, Gradle, npm, pip) resolve dependencies and output a manifest file. This manifest is then transformed into a standard SBOM format. The two most common formats are:
CycloneDX: An OWASP standard, lightweight, and designed for security use cases. It supports components, services, vulnerabilities, and pedigree.
SPDX: ISO/IEC 5962:2021 standard, originally for licensing but expanded for security. It provides detailed component information and relationships.
Both formats are machine-readable (JSON or XML). An SBOM contains:
Component Name: The name of the library or module (e.g., "log4j-core").
Version: The exact version number (e.g., "2.14.1").
Supplier: The entity that created the component (e.g., "Apache Software Foundation").
Dependencies: Relationships between components (e.g., Component A depends on Component B).
Hashes: Cryptographic hashes (SHA-256, SHA-512) of the component files, used for integrity verification.
Licenses: License information (e.g., Apache 2.0).
Vulnerabilities: Optionally, known vulnerabilities associated with the component.
Key Components and Values
Component Identifier: A unique identifier, often a Package URL (purl) like pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1.
Supplier: The organization or individual that created the component. This is critical for trustworthiness.
Version: Must be precise (e.g., 2.14.1, not just "2.x"). Version ranges are not acceptable for vulnerability matching.
Dependency Graph: A tree structure showing which components depend on others. Transitive dependencies (dependencies of dependencies) are included.
Hash: Typically SHA-256 or SHA-512 for each component file. This allows verification that the component has not been tampered with.
Timestamp: When the SBOM was generated. Important for freshness.
Configuration and Verification Commands
Generating an SBOM typically involves a build plugin or CLI tool. Examples:
- For Maven (CycloneDX):
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.7.1</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin> Run: mvn package -> generates target/bom.json.
- For npm (SPDX):
npm install --save-dev spdx-sbom-generator
npx spdx-sbom-generator- For Python (CycloneDX):
pip install cyclonedx-bom
cyclonedx-py -i requirements.txt -o bom.jsonVerification: An SBOM can be validated against its schema to ensure correctness. For CycloneDX, use:
npm install -g @cyclonedx/cyclonedx-cli
cyclonedx-cli validate bom.jsonInteraction with Vulnerability Management
SBOMs integrate with vulnerability databases (e.g., NVD, GitHub Advisory Database) to identify known vulnerabilities. Tools like OWASP Dependency-Check, Snyk, and Black Duck ingest SBOMs and cross-reference component versions against CVE databases. This process is called SBOM-based vulnerability scanning. The scanner outputs a list of vulnerabilities affecting the components in the SBOM, including severity scores (CVSS) and remediation advice.
In a CI/CD pipeline, SBOM generation is typically automated after every build. The SBOM is then stored in a repository (e.g., a database or artifact store) for later querying. When a new vulnerability is disclosed, the security team can query the SBOM repository to find all affected applications within minutes, rather than manually searching.
Standards and Regulations
SBOMs are increasingly mandated by regulations. The US Executive Order on Improving the Nation's Cybersecurity (EO 14028) requires software vendors selling to the federal government to provide SBOMs. The NTIA (National Telecommunications and Information Administration) has published minimum elements for SBOMs. The EU Cyber Resilience Act also includes SBOM requirements.
Formats in Detail
CycloneDX (OWASP):
Designed for application security context.
Supports components, services, vulnerabilities, and pedigree (history of changes).
Uses JSON or XML.
Example snippet:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"components": [
{
"type": "library",
"name": "log4j-core",
"version": "2.14.1",
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
"hashes": [{"alg": "SHA-256", "content": "abc123..."}]
}
]
}SPDX (Linux Foundation):
Focused on licensing and compliance, but extended for security.
Uses JSON, XML, or tag:value format.
Includes relationships (e.g., DEPENDS_ON, GENERATED_FROM).
Example snippet:
{
"spdxVersion": "SPDX-2.3",
"packages": [
{
"name": "log4j-core",
"versionInfo": "2.14.1",
"supplier": "Organization: Apache Software Foundation",
"checksums": [{"algorithm": "SHA256", "checksumValue": "abc123..."}]
}
]
}Key Differences Between CycloneDX and SPDX
CycloneDX is more security-oriented; SPDX is more license-oriented.
CycloneDX supports services (e.g., external APIs) as first-class citizens; SPDX treats them as packages.
CycloneDX has built-in vulnerability support; SPDX relies on external references.
SPDX is an ISO standard; CycloneDX is an OWASP standard but widely adopted.
Best Practices
Generate SBOMs automatically at build time.
Store SBOMs in a versioned repository.
Use a standard format (CycloneDX or SPDX) for interoperability.
Include hashes for integrity verification.
Update SBOMs when dependencies change.
Integrate SBOM scanning into CI/CD pipeline to fail builds on critical vulnerabilities.
Share SBOMs with customers and partners as part of supply chain transparency.
Common Pitfalls
Incomplete SBOMs: Missing transitive dependencies. Ensure the tool resolves all transitive dependencies.
Stale SBOMs: Using an SBOM generated months ago. Dependencies may have changed; regenerate with each release.
Ignoring SBOMs: Generating but never using them. Automate vulnerability scanning against SBOMs.
Format Mismatch: Using a format that tools don't support. Stick to CycloneDX or SPDX.
Exam Relevance
The CS0-003 exam expects you to understand:
The purpose and structure of an SBOM.
How SBOMs are used in vulnerability management (identifying vulnerable components).
The difference between CycloneDX and SPDX.
The role of SBOMs in software supply chain security.
How to interpret an SBOM to find a specific component and version.
The importance of hashes for integrity.
Regulatory drivers (EO 14028, NTIA minimum elements).
You will not be asked to generate an SBOM from scratch, but you may be given a sample SBOM and asked to identify a component or vulnerability.
Generate SBOM at build time
During the software build process, a build tool (like Maven, Gradle, npm, or pip) resolves all direct and transitive dependencies. A plugin or CLI tool then produces an SBOM file (JSON or XML) in a standard format such as CycloneDX or SPDX. The SBOM includes each component's name, version, supplier, and cryptographic hash. This step ensures that the SBOM reflects the exact set of components used in that build. For example, when building a Java application with Maven, the CycloneDX Maven plugin scans the project's POM file and all resolved dependencies, then outputs a `bom.json` file. The hash of each component file (e.g., JAR) is computed using SHA-256 to ensure integrity. The SBOM is typically stored as a build artifact along with the compiled application.
Store SBOM in a repository
The generated SBOM is uploaded to a centralized repository or database, often alongside the application binary. This repository can be a simple file server, an artifact repository (like JFrog Artifactory or Sonatype Nexus), or a dedicated SBOM management platform. The SBOM is indexed by application name, version, and timestamp. This allows security teams to query all applications using a specific component. For example, if a new vulnerability is discovered in Log4j 2.14.1, the team can search the repository for any SBOM that lists log4j-core version 2.14.1. The repository should maintain historical SBOMs for every release to enable retrospective analysis. Access controls should be enforced to prevent tampering.
Ingest SBOM into vulnerability scanner
A vulnerability management tool (like OWASP Dependency-Check, Snyk, or Black Duck) reads the SBOM and cross-references each component's name and version against vulnerability databases (NVD, GitHub Advisory, etc.). The scanner uses the Package URL (purl) or CPE (Common Platform Enumeration) to match components to known vulnerabilities. For each match, it retrieves the CVE ID, CVSS score, and affected version range. The scanner then outputs a report listing all vulnerabilities affecting the application. This process can be automated in the CI/CD pipeline: after the SBOM is generated, the scanner runs immediately and fails the build if a vulnerability above a certain severity threshold is found. For example, a scanner might flag log4j-core 2.14.1 with CVE-2021-44228 (CVSS 10.0) and block the build.
Query SBOM repository for incident response
When a new vulnerability is publicly disclosed (e.g., a zero-day), the security team queries the SBOM repository to find all applications that contain the vulnerable component. This query can be executed via API or a search interface. For example, using a tool like Dependency-Track, the team can search for all components with the name "log4j-core" and version less than 2.17.0. The repository returns a list of affected applications, their versions, and deployment locations (e.g., Kubernetes cluster, cloud instance). This step reduces the time to identify impacted assets from days to minutes. The team can then prioritize patching based on CVSS score and asset criticality. Without an SBOM, this step would require manual inspection of every application's dependency manifest, which is error-prone and slow.
Remediate and update SBOM
Once the affected applications are identified, the development teams update the vulnerable component to a patched version. After the fix, a new build is triggered, generating an updated SBOM that reflects the new component versions. The updated SBOM is stored in the repository, replacing the old one. The vulnerability scanner re-evaluates the new SBOM to confirm that the vulnerability is resolved. This step closes the loop: the SBOM is kept current, enabling continuous monitoring. For example, after upgrading log4j-core from 2.14.1 to 2.17.1, the new SBOM shows version 2.17.1, and the scanner reports no known vulnerabilities for that version. The security team can verify that all affected applications have been patched by re-querying the repository.
Scenario 1: Large Financial Institution
A global bank uses hundreds of microservices built on Java and Node.js. Each microservice depends on dozens of open-source libraries. The bank adopted CycloneDX SBOM generation in their CI/CD pipeline (Jenkins). Every build produces an SBOM that is uploaded to a central Dependency-Track instance. When Log4j vulnerability was announced, the security team queried Dependency-Track for all components named "log4j-core" with version < 2.17.0. Within 10 minutes, they identified 47 microservices using vulnerable versions. They prioritized patching based on the CVSS score (10.0) and business criticality. The team then triggered automated rebuilds with the updated dependency. The SBOM repository allowed them to track remediation progress and provide evidence to auditors. Without SBOMs, the bank would have spent weeks manually reviewing each service's dependencies.
Scenario 2: SaaS Provider
A SaaS company provides a customer-facing web application. They use a commercial vulnerability scanner that integrates with their CI/CD pipeline. They generate SPDX SBOMs for every release and store them in an S3 bucket. When a vulnerability is disclosed in a popular npm package (e.g., node-fetch), they query the S3 bucket using Athena to find all builds that include the affected version. They then notify the affected customers and deploy patches. The company also shares SBOMs with enterprise customers as part of their security compliance. This transparency has helped them win contracts with government agencies that require SBOMs per EO 14028.
Common Problems When Misconfigured
Incomplete SBOMs: If the build tool does not resolve transitive dependencies, the SBOM misses components. A scanner will not detect vulnerabilities in those transitive dependencies. For example, if the SBOM only lists direct dependencies, Log4j might be missed if it is a transitive dependency of another library. Solution: use tools that resolve the full dependency tree (e.g., Maven's dependency:tree).
Stale SBOMs: If SBOMs are not regenerated after dependency updates, the repository contains outdated information. When a vulnerability is disclosed, the team might miss affected applications because the SBOM does not reflect the current state. Solution: enforce SBOM generation on every build.
Format Incompatibility: If the SBOM is generated in a format not supported by the vulnerability scanner, scanning fails. For example, a scanner might only support CycloneDX, but the team generates SPDX. Solution: standardize on one format or use tools that support both.
Lack of Hash Verification: Without hashes, an attacker could tamper with a component after the SBOM is generated, and the SBOM would not detect the change. Solution: always include SHA-256 hashes and verify them during deployment.
Performance Considerations: Generating an SBOM adds minimal overhead (a few seconds) to the build process. Storing SBOMs requires negligible storage (a few KB per SBOM). Querying an SBOM repository with millions of entries should be indexed for performance. Tools like Dependency-Track can handle tens of thousands of SBOMs.
Exactly What CS0-003 Tests
Objective 2.4: Vulnerability Management — specifically, the use of SBOMs for identifying vulnerable components.
Key Subtopics:
Purpose of SBOMs (supply chain transparency, vulnerability identification).
Formats: CycloneDX and SPDX (know the differences).
Minimum elements (component name, version, supplier, dependency relationships, hashes).
Integration with vulnerability scanners (e.g., Dependency-Check).
Regulatory context (EO 14028, NTIA minimum elements).
Common Wrong Answers
"SBOMs are used to track software licenses only." This is a common misconception because SPDX originated for licensing. However, the exam tests SBOMs in the context of vulnerability management. The correct answer is that SBOMs are used for both license compliance and vulnerability identification, but the exam focus is on security.
"An SBOM lists only direct dependencies." Many candidates think transitive dependencies are not included. In reality, a complete SBOM includes all transitive dependencies. The exam may present a scenario where an SBOM is incomplete and ask why a vulnerability was missed.
"SBOMs are only needed for open-source components." SBOMs cover all components, including commercial off-the-shelf (COTS) software, custom code, and third-party APIs. The exam might test that SBOMs apply to any software component.
"Generating an SBOM is a manual process." The exam emphasizes automation. SBOMs should be automatically generated during the build process.
Specific Numbers and Terms
NTIA Minimum Elements: Supplier name, component name, version, dependency relationships, author of SBOM data, timestamp.
CycloneDX vs SPDX: CycloneDX is from OWASP; SPDX is ISO 5962:2021. CycloneDX has native vulnerability support; SPDX requires external references.
Formats: JSON and XML are common. SPDX also supports tag:value.
Hash Algorithms: SHA-256 is the minimum recommended; SHA-512 is also used.
Package URL (purl): A standard identifier like pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1.
Edge Cases and Exceptions
Version Ranges: The exam may test that version ranges (e.g., "2.x") are not acceptable. Precise versions are required.
Multiple SBOMs for the same application: If an application is rebuilt with different dependencies, each build has its own SBOM. The exam might ask which SBOM is authoritative: the one from the latest build.
SBOMs for services: CycloneDX supports services (external APIs). The exam might include a scenario where a service dependency is listed.
How to Eliminate Wrong Answers
Focus on the purpose: If the question is about vulnerability identification, the answer should involve SBOMs being used to find vulnerable components. Eliminate answers that mention only licensing.
Automation: If an answer suggests manual generation, it is likely wrong.
Completeness: If an answer implies SBOMs only list direct dependencies, it is incorrect.
Format: If the question asks for the standard format, remember that both CycloneDX and SPDX are valid, but CycloneDX is more security-focused. The exam may ask which format is recommended for security (CycloneDX).
Regulations: If a question references government requirements, EO 14028 and NTIA are key.
SBOM is a machine-readable inventory of all software components in an application.
Two primary formats: CycloneDX (OWASP, security-focused) and SPDX (ISO, license-focused).
Minimum elements per NTIA: supplier, component name, version, dependency relationships, author, timestamp.
SBOMs must include transitive dependencies, not just direct ones.
SBOMs enable rapid identification of vulnerable components during incident response.
Automatically generate SBOMs at build time and store them in a repository.
Use hashes (SHA-256) for integrity verification of components.
Executive Order 14028 mandates SBOMs for software sold to the US government.
SBOMs are inputs to vulnerability scanners like OWASP Dependency-Check.
Version must be precise (e.g., 2.14.1); version ranges are not acceptable.
These come up on the exam all the time. Here's how to tell them apart.
CycloneDX
Developed by OWASP, focused on security use cases.
Native support for vulnerabilities and services (e.g., external APIs).
Lightweight JSON/XML format.
Widely adopted in DevSecOps toolchains.
Not an ISO standard (but de facto standard for security).
SPDX
Developed by Linux Foundation, originally for license compliance.
ISO/IEC 5962:2021 standard.
Supports JSON, XML, and tag:value formats.
Stronger for license and pedigree information.
Vulnerability support requires external references (e.g., externalRef).
Mistake
SBOMs are only for open-source software components.
Correct
SBOMs include all components: open-source libraries, commercial off-the-shelf (COTS) software, custom code, and even third-party APIs. The goal is to inventory every piece of software that makes up an application, regardless of its source.
Mistake
An SBOM is the same as a software composition analysis (SCA) report.
Correct
An SBOM is a list of components; an SCA report is an analysis that identifies vulnerabilities, licenses, and other risks in those components. The SBOM is the input to SCA. SCA tools consume SBOMs to produce vulnerability reports.
Mistake
SBOMs are only needed for security purposes.
Correct
While security is a primary driver, SBOMs also support license compliance, supply chain transparency, and operational management (e.g., knowing which components need updates). The CS0-003 exam focuses on security, but the broader use is multi-purpose.
Mistake
Generating an SBOM once is sufficient for the lifetime of an application.
Correct
SBOMs must be regenerated with every build or update because dependencies change. A stale SBOM may miss newly added or updated components, leading to incomplete vulnerability coverage. Best practice is to generate an SBOM for every release.
Mistake
CycloneDX and SPDX are interchangeable and have identical capabilities.
Correct
While both are standard formats, they have different strengths. CycloneDX has built-in support for vulnerabilities and services, making it more suitable for security. SPDX is ISO-standardized and stronger for license compliance. The exam expects you to know the difference.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An SBOM is a formal, machine-readable inventory of all components that make up a software application, including open-source libraries, third-party modules, and their versions. It is used to identify vulnerabilities, manage licenses, and ensure supply chain transparency. The CS0-003 exam tests your understanding of SBOMs in the context of vulnerability management.
The NTIA minimum elements are: Supplier Name, Component Name, Version of the Component, Other Unique Identifiers (like purl), Dependency Relationship, Author of SBOM Data, and Timestamp. These elements ensure that the SBOM is useful for vulnerability identification. The exam may ask you to identify which elements are mandatory.
An SBOM lists every component with its version. When a new vulnerability is disclosed (e.g., CVE-2021-44228 in Log4j), security teams can query the SBOM repository to find all applications that include the vulnerable version. This allows them to quickly patch affected systems. Without an SBOM, identifying all instances of a vulnerable component is slow and error-prone.
CycloneDX, developed by OWASP, is designed for application security and natively supports vulnerabilities and services. SPDX, an ISO standard, originated for license compliance but can be used for security with external references. For the exam, remember that CycloneDX is more security-oriented, while SPDX is more license-oriented.
Yes, a complete SBOM must include all transitive dependencies (dependencies of dependencies). If only direct dependencies are listed, vulnerabilities in transitive dependencies will be missed. The exam may test this by presenting an incomplete SBOM that leads to a missed vulnerability.
An SBOM should be generated for every build or release of an application. Dependencies can change frequently, and a stale SBOM may not reflect the current state. Best practice is to automate SBOM generation in the CI/CD pipeline so that every build produces an up-to-date SBOM.
A Package URL (purl) is a standard identifier for a software package, such as `pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1`. It uniquely identifies a component and its version, making it easier to match against vulnerability databases. The exam may include purl in sample SBOMs.
You've just covered Software Bill of Materials (SBOM) — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?