PackageFix / Glossary / SBOM — Software Bill of Materials

SBOM — Software Bill of Materials

Compliance · Supply chain
Definition

An SBOM (Software Bill of Materials) is a formal, structured list of all the components, libraries, and dependencies that make up a piece of software. The idea comes from manufacturing — physical products have bills of materials listing every part. An SBOM does the same for software, making it possible to quickly identify what's inside an application and whether any component has a known vulnerability.

Why SBOMs are becoming required

In 2021, a US executive order on cybersecurity required software vendors selling to the federal government to provide SBOMs. The intent was to make it easier to respond to vulnerabilities like Log4Shell — instead of searching through thousands of systems to find which ones use Log4j, an SBOM lets you query a database and get the answer immediately.

The EU Cyber Resilience Act (2025) similarly requires SBOMs for many product categories. Even without regulatory pressure, SBOMs are becoming a standard part of enterprise software procurement — many large companies now require vendors to provide them.

SBOM formats

How to generate an SBOM from your lockfile

# npm projects
npx @cyclonedx/cyclonedx-npm --output-file sbom.json

# Python
pip install cyclonedx-bom
cyclonedx-bom -o sbom.json

# Using syft (all ecosystems)
syft . -o cyclonedx-json > sbom.json

How PackageFix relates to SBOMs

PackageFix isn't an SBOM generator, but it covers the security scanning part of what SBOMs are used for. If you paste your lockfile into PackageFix, it effectively does what SBOM vulnerability scanning does — checks every component against the OSV database and CISA KEV catalog. For formal SBOM generation, use CycloneDX or syft; for quick vulnerability scanning, use PackageFix.

Check your dependencies for CVEs, CISA KEV entries, and supply chain risks.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

Is an SBOM the same as a lockfile?
They overlap but aren't the same. A lockfile records exact resolved versions for reproducible builds. An SBOM is a formal document designed for external consumption — it follows a standard format (CycloneDX, SPDX), can include license information, provenance data, and component hashes, and is meant to be shared with customers or regulators.
Do I need an SBOM if I'm not selling to the US government?
Not legally required for most. But if you sell software to large enterprises, they increasingly request SBOMs. The EU Cyber Resilience Act will require them for many product categories. It's worth generating one even if not required — it's useful for your own incident response.
Can PackageFix generate an SBOM?
Not yet — PackageFix is focused on vulnerability scanning and fix generation. For SBOM generation, use CycloneDX's official tools, syft, or grype. These are free and work with the same manifest files PackageFix accepts.
What's the fastest way to check if an SBOM has CVEs?
Use osv-scanner with a CycloneDX or SPDX file: osv-scanner --sbom sbom.json. Or use PackageFix with your lockfile for a faster browser-based check without needing to generate a formal SBOM first.

Related guides

Dependency Scanning

How to find CVEs

Transitive Dependencies

What SBOMs capture

GitHub Actions Integration

Automate SBOM-based scanning

CISA KEV Package List

Actively exploited packages