Software Bill of Materials

Contextualize the Software Bill of Materials (SBOM) in the right business context.

Securing and safeguarding your software supply chain has become a first-order concern for product teams and companies.

Below we will detail why Software Bill of Materials are shaping up as a key part of the answer to these modern challenges as well as how LeanIX can help you utilise them.

Why is creating Software Bill of Materials relevant?

Building modern-day software encompasses many sources of risk that can jeopardize your business.

Incidents like SolarWinds or log4j have underpinned the necessity to have a thorough understanding of all components within your technological stack or as the 2022 State of DevOps report by Google puts it "Today, the topic of software supply chain security has become widely recognized as urgent — if not over family dinner, certainly in the boardroom".

What is a Software Bill of Materials exactly?


As a software vendor, you are bound to frequently create products by assembling existing software components, both open-source or proprietary. One of the core elements of your software supply chain that poses a risk is third-party software libraries. These can, by direct or indirect means (transitive dependencies), bring malignant dependencies into your technology stack, thereby creating unwanted backdoors into your software, as was the case for log4j.

To uniformly make sense of all ingredients (or software libraries) within any software project is the core goal of the software bill of material (SBOM). A “Software Bill of Materials” or “SBOM” is essentially a standardized record containing the details and supply chain relationships of various components used in building software. Analogous to a list of ingredients on food packaging, an SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate the software.

The importance and obligation to understand and provide a clear picture of the software components of any piece of software is underpinned by the White House filing an executive order obliging the provision of an SBOM by any software provider of the US government.


In the bigger scheme of securing your software supply chain (shifting left) to build reliable and secure digital products, VSM helps you to decipher your used third-party libraries in the context of your teams, services, and products. By providing an API to ingest CycloneDX Security Bill of Materials (SBOM), VSM now allows you to navigate SBOMs to secure your software supply chain efficiently.

As an engineer: Consume SBOMs efficiently with LeanIX's easy-to-use interface and filtering capabilities.

As an engineering leader: Reduce security risk by comprehensively assessing vulnerability exposure on service and product levels and speed up response times by centrally prioritizing and monitoring remediation activities across your service landscape.

How do you utilize Software Bill of Materials with LeanIX?

There are multiple open-source formats or schemas for an SBOM, such as SPDX or CycloneDX to streamline and create a shared understanding of an SBOM.

VSM supports the CycloneDX standard. It is backed by many well-known technology associations and is most demanded by our customer base. If you're using SPDX, feel free to reach out to discuss options.

The SBOM-generation tool universe is expanding at an unprecedented speed. Currently, this results in a high heterogeneity of outputted SBOM quality.

In VSM we recommend the CycloneDX native tooling both for its reliable data quality and ease of use to generate the SBOM from your software projects (see ). This is why LeanIX VSM puts this standard at its core to digest your software libraries and ultimately help you manage your risks.

LeanIX VSM expands upon the technical value capture in the CycloneDX SBOM by bringing the information from numerous SBOMs into a single central service catalog, where it can not only be easily accessed, searched & filtered but is also set into the wider context of team responsibility and business products - allowing rapid impact assessment when a vulnerable library is found, aiding mitigation.

The following steps are key to secure your software supply chain leveraging SBOMs with LeanIX:

  1. Generate CycloneDX SBOMs: Utilising the CycloneDX tool center, your engineers can create SBOMs out of various environments. As this is a popular open-source standard, parts of your company may already create them today. Alternatively, LeanIX offers guidance, for example setups out of CI/CD pipelines.
  2. Ingest and monitor SBOMs in LeanIX VSM connecting your source of SBOM creation to LeanIX ensures that VSM data is kept constantly up to date, a standard that VSM health metrics help you track.
  3. Utilise & maintain the dependency catalog in case of impact. From LeanIX Service & API catalog, SBOM information is now related to the wider context of your organization and available immediately if required - a complete picture of reliable information that guards you against vulnerabilities.