An SBOM, or software bill of materials, is simply a list of all of the pieces of software ("dependencies") that come together to make up your entire application. This list of ingredients is a key part of software supply chain security and risk management.
Tidelift focuses on the application layer of what goes into an end software product. The most useful application library, SBOMs, include your explicitly-named direct dependencies and transitive dependencies. Transitive dependencies are dependencies-of-dependencies. These nested lists can get very long, and it's often illuminating to see an SBOM and start to gain a full understanding of what all goes into your final product—and how many people outside of your organization are actually building your product!
SBOMs should also include facts and metadata related to each dependency and track the "dependency chain" that pulls in each transitive dependency.
Using SBOMs
SBOMs are only as good as the data contained with them and how current they are. In the event of a legal review or security event, it is much faster for security or compliance team to work from a library of SBOMs than to ask your developers to stop their work and begin end-to-end scanning.
SBOMs are used to track and prioritize known security problems and remediation timelines. Compliance teams can use SBOMs as an index to keep an inventory of licenses in use. Developers can use SBOMs to manage dependencies. All of this creates greater interoperability and efficiency within an organization. It's a shared language for all of these teams that can be passively generated and maintained based on application builds.
The leading SBOM formats are Software Package Data Exchange (SPDX) and CycloneDX.
Proactively investing in your open source software
SBOMs also serve as an index for you to understand who all is building your application—spoiler alert, 80% of it on average is not your internal development team! Tidelift uses SBOM information to make reliable income available to open source maintainers. We enter into a business contract that guarantees the package will continue to be maintained, security hygiene is in place, security issues will be handled, and licensing data is correct. Tidelift ensures that the full dependency chain has income available. This "long tail" of dependencies can often be overlooked by larger grant programs.
Teams can also use an SBOM to understand where they are using packages frequently throughout an organization, and make faster and more strategic choices about where to participate in upstream communities with code and other project contributions.