A Software Bill of Materials or SBOM is a machine-readable inventory of all components used within a software application or device. Think of it as an ingredient list but for software or an application, rather than cooking your favourite meal. An SBOM typically includes:

  • Open-source libraries
  • Third-party dependencies
  • Frameworks and packages
  • Version information
  • Licensing data
  • Known vulnerabilities
  • Dependency relationships

Compiling all the above items manually would be time consuming for a simple project or application but becomes even more challenging for complex applications. Extracting this information for the firmware of a device is even harder.

Why SBOMs Matter

Supply chain attacks have grown in profile over recent years. One of the best known is the SolarWinds “SUNBURST” attack in 2020. Over the past few months, many attacks have targeted open-source packages. For instance, the extremely popular Axios JavaScript HTTP client library was attacked in March (2026).

The popular LiteLLM PyPi (Python) package was also compromised in March through an extended supply chain attack. The attacker obtained the maintainer’s credentials by compromising the open-source security scanner used in the automated CI/CD pipeline. The past week has seen an attack on Github via a compromised Visual extension.

Although these recent attacks were discovered and contained after a few hours, they highlight the need to not just understand exactly what packages are being used, but also the specific versions. The LiteLLM incident was contained in around three hours, but it is estimated the package downloaded around 3.4 million times per day.

Vulnerability management and dependency mapping go together. Upgrading a package to resolve a known and exploitable vulnerability is one to improve security of the device or application, but does that package need to be a specific version for other components to work correctly? Understanding the licensing requirements of the packages is also useful to ensure legal compliance.

Ongoing changes to regulation and compliance rules also drive the need for organisations to improve their handling of SBOMs. The EU Cyber Resilience Act (CRA) has deadlines for compliance through 2026 / 2027, with specific requirements for SBOMs. Other legislation such as the UK Product Security and Telecommunications Infrastructure (PSTI) Act do not mandate a SBOM but do define the need for aspects such as supply chain visibility. Thus a SBOM can greatly assist in maintaining compliance across a broad range of legislation.

How Can KedronUK Help?

One of our partners, Keysight Technologies offers a comprehensive SBOM solution. Provided as a SaaS solution for rapid deployment, modules include:

  • Generator – build an SBOM from binary code / firmware
  • Studio – centralised management of SBOM, including CI/CD and ITSM integration plus continuous monitoring against sources such as CISA KEV
  • Consumer – validate SBOMs received from third party supplies to track and monitor SBOM and other aspects such as vulnerabilities.

Summary

  • Supply chain security is now a board level issue for most large enterprises and organisations
  • SBOMs cover not just producers / manufacturers who are making hardware or publishing software, but also enterprises who consume third party products
  • Integrate SBOM tooling to maximise it’s value – CI/CD pipelines and scanning / remediation workflows to ensure warnings don’t get missed
Chris Booth

Chris Booth

Solution Architect

Listens to your problems, then identifies the best tools and products to build solutions.