An SBOM is a formal, machine-readable inventory of all software components in an application. It functions as an ingredient list for software, documenting every library, framework, and dependency with version details, licenses, and relationships.

Key characteristics:

• Comprehensive inventory - Lists all direct and transitive dependencies
• Vulnerability mapping - Enables rapid identification of affected components during security incidents
• License compliance - Tracks open-source licenses for legal requirements
• Provenance tracking - Documents component origins and integrity verification

Standard formats: SPDX (Software Package Data Exchange), CycloneDX

Example use case: When Log4Shell vulnerability emerged, organizations with SBOMs could instantly query which applications used Log4j and required patching, reducing response time from days to hours.