SBOM Primer
A Software Bill of Materials is the ingredient label for your binary. Every dependency, every hash, every provenance link — machine-readable and auditable.
What is an SBOM?
An SBOM is a structured manifest that enumerates every software component inside a deliverable. Think of it as a nutrition label: you see exactly what went in, who supplied it, and whether any of it is known-bad. The two dominant formats are SPDX and CycloneDX.
Why it matters for Nimbus
Nimbus ships a C++ loader, a kernel driver skeleton, and a Next.js dashboard. Each artifact pulls in transitive dependencies. An SBOM lets customers and auditors trace every library, every license, and every CVE back to its source in under a minute.
The three fields that actually matter
- purl — package URL uniquely identifying a component
- hash — SHA-256 of the artifact as it was built
- provenance — signed attestation linking the artifact to its build pipeline
Generating one for your own project
For Go or Rust, use the built-in tooling. For C++ with CMake, integrate syft or cdxgen into your CI. For the Next.js dashboard, cyclonedx-npm produces a CycloneDX JSON document in a single pass.