It's not uncommon today to use third party libraries in a software project. These third party libraries are of course doing the same thing, which can lead to a long supply chain of software packages in a project.

By using a SBOM (Software Bill of Materials) in your project you will make it easier to keep track of these dependencies.

The SBOM will enable the possibility to do vulnerability scans and license analysis of your software components. Then there is the executive order 14028 which also encourage the use of a SBOM (and the reason there is a standard for this?).

So a software bill of materials is a document that lists all the components, libraries and dependencies that is used by the project. There is some rules on what should be included in the document, and there are three standard formats today:

• SPDX - A Linux Foundation Project. Available in following formats: tag:value, RDF, JSON, XML and YAML
• CycloneDX - From OWASP. Available as XML or JSON.
• SWID tags - From NIST. Available as XML.

Next step is to explore tools to generate a SBOM...