SBOM-EDI
The structured inventory of software dependencies — Executive Order 14028 requirement.
Definition
Mandated by Executive Order 14028 (Biden, May 2021) for any software bought by the US government. Recognised formats: SPDX 2.3 (ISO/IEC 5962:2021), CycloneDX 1.5 (OWASP), SWID (ISO/IEC 19770-2). For an EDI vendor, CI SBOM generation on every build, Grype/Trivy vulnerability scan, Sigstore signing.
Origin
Old concept (RPM/DEB metadata from the 1990s) formalised by NTIA in 2020-2021.
Example in context
An EDIFACT translator published with a CycloneDX SBOM listing its 247 Maven dependencies.
Related terms
- Supply chain — software supply chain security.