Skip to main content

Software Bill of Materials (SBOM) for Your Codebase and Libraries (CRA Annex I, Part II, Req 1)

Knowing the ingredients of your software is fundamental to its security. The EU Cyber Resilience Act (CRA) makes this a formal requirement. Annex I, Part II, Point 1 states that manufacturers must "identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials (SBOM)...".

What is an SBOM?

An SBOM is a formal, structured list of all software components, libraries, and modules that make up your application or game. Think of it as a detailed ingredients list for your software. It typically includes:

  • Component name
  • Version number
  • Supplier/Author
  • License information (useful, though not strictly a CRA security item)
  • Relationship between components (dependencies)

Why is it Mandated by the CRA?

  1. Vulnerability Management: When a new vulnerability is discovered in a specific library (e.g., Log4j), an accurate SBOM allows you to quickly determine if your software uses that vulnerable component and version. This drastically speeds up your response.
  2. Transparency & Due Diligence: It helps you understand your software supply chain. The CRA requires due diligence on third-party components (Article 13, Paragraph 5). An SBOM is a key tool for this.
  3. Lifecycle Management: Helps track outdated components that may no longer receive security updates.

CRA Specifics for SBOMs

  • Format: Must be in a "commonly used and machine-readable format." Examples include CycloneDX and SPDX. This allows for automated processing and integration with security tools.
  • Scope: Must cover "at the very least the top-level dependencies." This means the components your software directly calls or links against. While deeper (transitive) dependencies are also important for full visibility, the CRA sets the minimum bar at top-level.
  • In Technical Documentation: The SBOM should be part of your technical documentation (Annex VII, Point 8 mentions it can be requested by market surveillance authorities).
  • User Information (Optional Sharing): You must inform users where the SBOM can be accessed IF you decide to make it available to them (Annex II, Item 9). Public sharing is not mandated by default for all SBOMs.

The Commission may specify further details on SBOM format and elements via implementing acts (Article 13, Paragraph 24).

Key Takeway

Generating and maintaining an SBOM is a specific requirement under Annex I, Part II, Point 1 of the CRA. It's a critical tool for identifying components, managing vulnerabilities, and understanding your software supply chain. Ensure it's in a machine-readable format and covers at least top-level dependencies.