Practice SBOM pipeline vocabulary: generating SBOMs at build time, SBOM-based vulnerability scanning, supply chain compliance, and CycloneDX vs SPDX format language.
0 / 5 completed
1 / 5
What is an SBOM (Software Bill of Materials)?
An SBOM is a formal, machine-readable list of all components in a piece of software — open-source libraries, commercial components, and their versions. It enables vulnerability scanning, licence compliance checking, and supply chain risk management.
2 / 5
When is the ideal time to generate an SBOM in a CI/CD pipeline?
Generating the SBOM at build time captures the exact set of dependencies used to create the artifact. An SBOM generated at build time is deterministic and can be attached to the artifact (e.g., container image) for downstream verification.
3 / 5
What does 'vulnerability scan against SBOM' mean?
SBOM-based vulnerability scanning takes the component inventory and checks each entry against vulnerability databases. This is faster and more accurate than ad-hoc dependency scanning because the SBOM provides an authoritative list of what's in the software.
4 / 5
What is the difference between CycloneDX and SPDX?
SPDX (Software Package Data Exchange) was created by the Linux Foundation for licence compliance. CycloneDX was created by OWASP with security use cases in mind. Both are now widely accepted SBOM standards; CycloneDX is generally preferred in DevSecOps tooling.
5 / 5
A compliance requirement states 'an ___ is required for software supply chain compliance.' What acronym fits?
US Executive Order 14028 (2021) and subsequent regulations require SBOMs for software sold to government agencies. An SBOM provides the transparency needed to verify supply chain integrity and identify vulnerable components across an organisation's software portfolio.