SBOM

Generate, import, export, and manage software bills of materials.

1 min readUpdated Jul 9, 2026

Overview

A software bill of materials (SBOM) is the inventory of components in your software. FOSSA produces and consumes SBOMs so you can share what's inside your software and analyze what's inside others'.

What this covers

  • Generate: produce SBOMs (SPDX, CycloneDX) from your scans, with optional VDR/VEX vulnerability statements.
  • Import: bring in existing SBOMs to analyze dependencies you don't build yourself.
  • PURL Support: how FOSSA resolves package identifiers for high-confidence license and vulnerability matching.
  • SBOM Policies: define required fields and formats for imported SBOMs, including NTIA/FDA minimum elements.
  • Vulnerability Detection: how FOSSA matches vulnerabilities in imported SBOMs, and when results are marked Unverified.
  • Sharing SBOMs: share SBOM data publicly via the SBOM Portal or directly with partner organizations (Enterprise, requires enablement).

Start here

  • Generate an SBOM: the fastest way to get a standards-compliant SBOM out of FOSSA.

SBOMs draw on data from Licenses and Vulnerabilities. For attribution and compliance documents, see Reports.

© 2026 FOSSA, Inc.support@fossa.com