Skip to main content
A complete and accurate inventory of all first-party and third-party components is essential for risk identification. A Software Bill of Materials (SBOM) is a document that provides transparency into the software components of an application. SBOMs should ideally contain all direct and transitive components and the dependency relationships between them. They should also contain metadata associated with each of these components.

For software producers

Software producers, those who create and sell software, need to be able to provide software transparency through an SBOM to their customers on request to reduce sales cycles, establish trust and sometimes as a regulatory or business requirement. A Vulnerability Exploitability eXchange (VEX) document conveys the potential risks associated with components that have known vulnerabilities within the specific context of the product. Software producers may need to, upon request, provide justification for known vulnerabilities and how they impact an application they sell. Learn how to export SBOMs and VEX documents for the software you test with Endor Labs.

For software consumers

Software consumers, or those who use software, need to understand their software inventory holistically. This includes both the software that they create and the software that they purchase. Learn how to manage third-party risks with Endor Labs.

Supported formats

Endor Labs supports the following SBOM formats:
  • CycloneDX: A lightweight SBOM standard designed for use in application security contexts
  • SPDX: An open standard for communicating software bill of material information