SBOM Requirements
Maturity levels, required metadata, component expectations, and dependency guidance
SBOMs must contain a complete and structured inventory of software components, along with supporting metadata that enables traceability, vulnerability analysis, supplier identification and compliance verification.
In some cases, a field may be defined as optional in a standards specification but is Required here. For example, unique identifiers or provenance information must always be present, even if considered optional elsewhere.
Maturity levels
To support evaluation, two general maturity levels for SBOM completeness are distinguished:
- Maturity level 1 (L1) — content that is simple to obtain through first-hand automated observation using standard SBOM generation tools (e.g. basic metadata, declared components, top-level hashes).
- Maturity level 2 (L2) — content that is moderately difficult to obtain and may require domain-specific tools, manual enrichment, human analysis, or access to proprietary or internal sources (e.g. transitive dependencies, redacted relationships, embedded licenses or pedigree data).
High-level SBOM requirements
| # | Description | Reference | L1 | L2 |
|---|---|---|---|---|
| 1 | The SBOM shall be provided in a structured, machine-readable format | Standards | ✓ | |
| 2 | SBOM creation shall be automated and reproducible | ✓ | ||
| 3 | SBOM shall be provided in one of the standardized formats CycloneDX or SPDX with JSON encoding | Formats | ✓ | |
| 4 | SBOM shall include a unique identifier | Metadata | ✓ | |
| 5 | SBOM shall be timestamped | Metadata | ✓ | |
| 6 | The manufacturer or author that created the SBOM should be documented | Suppliers | ✓ | |
| 7 | SBOM shall include metadata about the asset or software the SBOM describes | Subject | ✓ | |
| 8 | Supplier and manufacturer should be identified with a name consistent over time | Suppliers | ✓ | |
| 9 | The product lifecycle phase(s) in which data in the BOM was captured should be documented | Lifecycle | ✓ | |
| 10 | Tools used to create the SBOM should be documented | Tools | ✓ | |
| 11 | The methods used to extract and/or derive component identifiers should be documented (evidence) | Methods | ✓ | |
| 12 | SBOM shall contain a complete and accurate inventory of all components it describes | Components | ✓ | |
| 13 | The function of each component shall be known and represented throughout the inventory | Components | ✓ | |
| 14 | Component identifiers shall be derived from their native ecosystems (when applicable) | Components | ✓ | |
| 15 | The origin of each component shall be identified in a consistent, machine-readable format (e.g., PURL, CPE, SWID) | Components | ✓ | |
| 16 | Components should have one or more file hashes (SHA-256, SHA-512, etc) | Components | ✓ | |
| 17 | Components that have been modified from the original should have detailed provenance and pedigree information | Patched components | ✓ | |
| 18 | Components with unknown pedigree should be documented as incomplete | Known unknowns | ✓ | |
| 19 | Components with redacted identifiers or dependencies should be documented as incomplete | Redactions | ✓ | |
| 20 | Components shall have accurate license information | Licenses | ✓ | |
| 21 | Non-Open Source components should have valid copyright statements | Licenses | ✓ | |
| 22 | Relationships (direct and transitive dependencies) between components in the SBOM should be described | Dependencies | ✓ | |
| 23 | Dependency relationships should be represented as a hierarchy | Dependencies | ✓ | |
| 24 | The artifacts (files) of the SBOM subject should be identified with filenames and hashes | Subject | ✓ | |
| 25 | Pre-existing SBOMs for components should be linked and included as artifacts in the delivery | Third-party SBOMs | ✓ | |
| 26 | SBOM shall be signed by publisher, supplier, or certifying authority | Suppliers | ✓ |
Attestation metadata
Each SBOM must contain top-level metadata that uniquely identifies the document, indicates when it was created, and provides a consistent revision number.
At a minimum, the following are required:
- A globally unique identifier for the SBOM document
- A creation timestamp indicating when the SBOM was generated or exported
- The manufacturer or author that created the SBOM
This information must be present regardless of whether it is optional in the base specification. For example in CycloneDX, the serialNumber field is optional, but for reliable tracking it is treated as required to ensure SBOM uniqueness across submissions.
These identifiers play a critical role in versioning, digital signatures, and comparison between artifacts over time. The timestamp must reflect the generation or export time of the SBOM, not just a build or packaging date.
{
"serialNumber": "urn:uuid:1181ba0e-da66-4e8f-9c7f-4ed976c37bf1",
"version": 1,
"metadata": {
"timestamp": "2025-03-25T10:40:25+00:00"
}
}Lifecycle and provenance
In addition to basic identification, SBOMs must include information describing how the document was produced, who was involved in its creation, and which phase of the product lifecycle the data represents.
This information increases the transparency and credibility of the SBOM, and allows Consumers to better assess the trustworthiness of its contents.
{
"metadata": {
"lifecycles": [
{
"phase": "build"
}
]
}
}Tool information
The SBOM must include information about the tool or tools used to generate it. This is essential for understanding the scope, capabilities, and potential limitations of the SBOM content.
At a minimum, the tool name must be included. The version number is strongly recommended, as it enables Consumers to evaluate the expected feature set and behavior at the time of generation. When available, a URL to the tool's official website or repository should also be provided.
{
"metadata": {
"tools": {
"components": [
{
"name": "observer",
"version": "0.9.1"
}
]
}
}
}Subject of the SBOM
Every SBOM must clearly define the subject it describes — typically a software application, component, or system. This includes identifying what the SBOM refers to, how it can be distinguished from other components, and which files or artifacts it relates to.
At a minimum, the subject should include:
- Type — such as "application", "library", or "container"
- Name and version — a clear identifier for the software the SBOM describes
Where applicable, additional artifact-level details should also be included, such as:
- Filenames and cryptographic hashes for distributed files. This should include both any distributed archives or installers and the files that would be installed in a target runtime environment
- Other available identifiers for the subject (e.g. CPE, SWID tags) including any product identifiers shared between Supplier and Consumer
{
"metadata": {
"component": {
"bom-ref": "a05bbca7-f783-44cd-aafb-f5284f81473f",
"type": "application",
"name": "example-application",
"version": "1.0.0",
"purl": "pkg:swid/Example%20Inc/example.com/example-application@1.0.0?tag_id=a05bbca7-f783-44cd-aafb-f5284f81473f",
"manufacturer": {
"name": "Example AB",
"url": [
"https://www.example.com",
"https://lei.info/549300MLH00Y3BN4HD49"
],
"contact": [
{
"name": "Security Team",
"email": "security@example.com"
}
]
},
"components": [
{
"type": "file",
"name": "example.exe",
"hashes": [
{
"alg": "SHA-256",
"content": "f6d71a1bcd45764550a42dfaa179bc43b63ee879ec6f875bfd39fca013515da7"
}
]
},
{
"type": "file",
"name": "lib-example.dll",
"hashes": [
{
"alg": "SHA-256",
"content": "36b5e543365f73bc221c88ec6be6a2b9609063ddd34219496ed4bad579936bd9"
}
]
}
]
}
}
}