A software bill of materials or SBOM is a means of establishing transparency and trust in our software supply chain. An SBOM is an artifact that lists the software components that are used to create a software application. Since The White House issued an executive order featuring SBOM, it has become all the rage. But it’s important to understand that SBOMs are just a means to an end, and are only useful if they contain high-quality data, and can be easily stored and analyzed, and provide information about exploitable vulnerabilities.
Endor Labs goes beyond metadata scanning and uses call graphs to map out your dependencies. This context allows you to generate SBOMs that not only describe all direct and transitive dependencies of any given package, but also understand if vulnerable dependencies are actually reachable.