sbom-management

# SBOM Management

Comprehensive guidance for Software Bill of Materials creation, maintenance, and supply chain security.

## When to Use This Skill

- Creating SBOMs for software releases
- Responding to customer SBOM requests
- Tracking software components and dependencies
- Implementing supply chain security
- Meeting regulatory requirements (Executive Order 14028, EU CRA)

## SBOM Fundamentals

### What is an SBOM?

A Software Bill of Materials is a formal, machine-readable inventory of software components and dependencies, their relationships, and associated metadata.

```text
Your Application
├── Dependency A (v1.2.3) → Transitive Dep X
├── Dependency B (v2.0.0) → Transitive Dep Y, Z
├── Dependency C (v3.1.0)
└── Direct code components
```

### NTIA Minimum Elements

Required elements per NTIA SBOM guidelines:

| Element | Description | Example |
|---------|-------------|---------|
| **Supplier Name** | Entity that creates/maintains | "Microsoft" |
| **Component Name** | Designation of component | "System.Text.Json" |
| **Version** | Version identifier | "8.0.0" |
| **Other Unique Identifiers** | Additional IDs | PURL, CPE |
| **Dependency Relationship** | Upstream/downstream | "depends-on" |
| **Author of SBOM Data** | Who created SBOM | "Contoso Inc" |
| **Timestamp** | When SBOM created | "2025-01-15T10:30:00Z" |

### SBOM Formats

| Format | Strengths | Use Case |
|--------|-----------|----------|
| **CycloneDX** | Security-focused, VEX support | Vulnerability management |
| **SPDX** | License-focused, ISO standard | License compliance |
| **SWID** | Software identification | Asset management |

## CycloneDX (Recommended)

### Basic Structure

```json
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "metadata": {
    "timestamp": "2025-01-15T10:30:00Z",
    "tools": [
      {
        "vendor": "CycloneDX