Comment by zvr

Think of the SBOM as a "table of contents" for the software you are receiving. Another metaphors that has been used is the "nutrition label" that you get in all packaged food.

So, it's a list of the "software components" that are inside a piece of software. And then you add metadata about each of these components: what's its name? its version? its hash? Up to now we're in lockfile territory.

But you want more information: what is the license? who supplied it? what is the security status? does it have known CVEs? are they relevant?

And then you go to special cases, like "AI" software: oh, it's a model? how was it trained? on which data? Or like software that has to be certified, to be used when safety is important.

An SBOM is capable of providing all this information. Take a look at the different parts that SPDX provides, and it's an ever expanding area.