Published Apr 15

🌐Software Bill of Materials (SBOM)

By Aline Rezende Nunes Martins
2 min

What Is An SBOM?

A Bill of Materials (BOM) is a comprehensive list of raw materials, components, and instructions needed to build, manufacture, or repair a product or service. In software development, a Software Bill of Materials (SBOM) serves a similar purpose - it’s a detailed inventory of all libraries and components that make up a software application.

Why?

An SBOM provides visibility into the software’s dependencies, helping organizations understand what components are included. It also enables integration with vulnerability scanning tools, which can assess the software’s security posture and flag known vulnerabilities based on severity.

It’s also becoming a compliance requirement, as various regulations and industry standards increasingly mandate the publication of SBOMs. For example, the U.S. Executive Order 14028 on Improving the Nation’s Cybersecurity requires federal agencies and their software suppliers to provide an SBOM to ensure transparency and reduce security risks. Additionally, standards organizations such as NIST (National Institute of Standards and Technology) and frameworks like ISO/IEC 5230 (the OpenChain standard) emphasize the importance of SBOMs in secure software development practices.

Other initiatives, like NTIA’s SBOM guidelines and EU Cyber Resilience Act, are also pushing for broader adoption of SBOMs as a baseline for software transparency and vulnerability management.

As a result, SBOMs are no longer just a best practice - they're quickly becoming a critical part of regulatory compliance, especially for organizations working with governments, critical infrastructure, or sensitive data.

Generating SBOMs Through GitHub

In GitHub, you can easily generate an SBOM by navigating to the "Insights" tab of a repository, then selecting "Dependency Graph" followed by "Export SBOM". This produces a machine-readable JSON file in the SPDX format.

image-20250408-124529.png

Alternatively, you can also use GitHub’s CLI tool, gh-sbom, to generate either SPDX or CycloneDX (CDX) files directly from your terminal.

Since Rocket.Chat is open source, anyone - including customers, prospects, community members, and security researchers - can generate an SBOM by following these steps.

If you have specific SBOM-related needs that aren’t met by GitHub’s built-in features, feel free to contact us at security@rocket.chat. We're happy to assist.