🚧 DevGuard & this page is under active development. Visit the DevGuard Repo →
GuidesExplaining Sboms

Explaining SBOMs

An SBOM is a machine-readable list of every component in a piece of software, letting teams find vulnerabilities or license issues quickly and improving supply-chain security.

What is an SBOM?

A Software Bill of Materials (SBOM) is a structured inventory of all components that make up your software. It typically lists each component’s name, version, origin, license, and dependency relationships. SBOMs improve transparency, speed up vulnerability/license audits, and are a key building block of software supply-chain security.

đź“ŚHow to create a SBOM

devguard-scanner sbom --output-format json --output-file sbom.json /path/to/your/project

đź“ŚHow to upload a SBOM to Devguard

devguard-scanner sbom --token YOUR_TOKEN --assetName your-asset-name --path /path/to/sbom.json

đź“Ś SBOM Example

 
{
  "bomFormat": "CycloneDX",
  "specVersion": "<1.x>",
  "version": 1,
  "serialNumber": "urn:uuid:<UUID>",
  "metadata": {
    "timestamp": "<ISO-8601>",
    "component": {
      "type": "application",
      "name": "<PRODUCT>",
      "version": "<VERSION>",
      "bom-ref": "<COMPONENT-ID>"
    }
  },
  "components": [
    {
      "type": "library",
      "name": "<DEP-NAME>",
      "version": "<DEP-VERSION>",
      "bom-ref": "<DEP-ID>"
      /* optional: "licenses", "purl", "hashes", "supplier" … */
    }   
  ],
  "dependencies": [
    {
      "ref": "<COMPONENT-ID>",
      "dependsOn": ["<DEP-ID>", "<DEP2-ID>"]
    }
  ]
}

🇪🇺In the Future

The Cyber Resilience Act (CRA)—published as Regulation (EU) 2024/2847—will reshape how any “product with digital elements” (hardware or software that can connect to a network) is developed, shipped, and maintained:

MilestoneWhat happensWhy it matters
10 Dec 2024CRA entered into force (was published in the Official Journal).The clock started on the transition period. (Digital Strategy)
11 Sep 2026First tranche of duties (e.g., vulnerability reporting) apply.Manufacturers must already have processes in place. (openssf.org)
11 Dec 2027Full application—every product placed on the EU market must ship with a machine-readable SBOM and comply with all Annex I & II cybersecurity requirements.No SBOM ⇢ no market access. (Digital Strategy, EUR-Lex)
PenaltiesUp to €15 million or 2.5 % of worldwide turnover for serious non-compliance.Similar bite to GDPR fines. (Strobes Security)
Mapping Several Assets and Artifacts to DevGuard (e.g., Monorepos)Secret Scanning