Synced 16 Jun 2026 15:24 UTC Account
← Home

What is an SBOM?

A plain-English guide to Software Bills of Materials — and how to check yours for vulnerabilities. · all security terms → · updated June 2026

An SBOM (Software Bill of Materials) is a complete, machine-readable list of every component and dependency inside a piece of software — think of it as an ingredients label for an application. Modern software is mostly assembled from open-source libraries; an SBOM is how you know exactly which ones you ship.

Why SBOMs matter

When a serious vulnerability lands in a popular library — like Log4Shell in Log4j — the urgent question is simply: "are we using it, and where?" Without an SBOM, teams spend days grepping through projects. With one, the answer is instant. SBOMs are now expected by many security frameworks and increasingly required in procurement and regulated industries.

CycloneDX vs SPDX

Two standard formats dominate:

  • CycloneDX (OWASP) — security-first, widely supported by vulnerability scanners.
  • SPDX (Linux Foundation / ISO standard) — strong on licensing and compliance.

IsItPatched accepts both, as JSON.

How to generate an SBOM (free)

You can produce one in seconds with free, open-source tools:

  • Syftsyft dir:. -o cyclonedx-json=sbom.json (works on source, directories and container images).
  • Trivytrivy fs --format cyclonedx --output sbom.json .
  • cdxgencdxgen -o sbom.json (multi-language).
  • npmnpm sbom --sbom-format cyclonedx > sbom.json
  • Docker Scout / GitHub — export an SBOM for an image or repository from the UI.

How to scan it with IsItPatched

Once you have the file, the SBOM scanner checks every component against OSV (the open vulnerability database) and gives you a per-component verdict — and it does it without ever uploading your file:

  1. Open the SBOM scanner.
  2. Drop in your CycloneDX or SPDX JSON file.
  3. It's parsed in your browser; only package names and versions are sent to OSV.
  4. You get the vulnerable components, the total count, and an honest match rate — never a false "all clear".

Scan your SBOM now →

Frequently asked

What is an SBOM?

An SBOM (Software Bill of Materials) is a complete list of the components and dependencies that make up a piece of software — like an ingredients label. It lets you see every open-source library you ship, so when a vulnerability is found in one of them you know instantly whether you are affected.

What is the difference between CycloneDX and SPDX?

They are the two standard SBOM formats. CycloneDX (from OWASP) is security-focused and widely used by scanners; SPDX (a Linux Foundation / ISO standard) is common for licensing and compliance. IsItPatched accepts both as JSON.

How do I generate an SBOM?

Free tools generate one in seconds. For example: Syft (syft dir:. -o cyclonedx-json), Trivy (trivy fs --format cyclonedx --output sbom.json .), or your package manager (npm sbom --sbom-format cyclonedx). Container and cloud platforms (Docker Scout, GitHub) can export one too.

Is it safe to scan my SBOM on IsItPatched?

Yes. Your SBOM is parsed entirely in your browser. Only package names and versions are sent to the OSV vulnerability database for lookup — the file itself never reaches our servers, and there is no account or upload.

Related: What is a CVE? · SBOM scanner · How we handle your data.