Skip to content
Quaze docs

SBOM basics

A Software Bill of Materials (SBOM) is a structured list of the components in a piece of software, with enough detail to identify each component (typically a name, version, and ecosystem). It is the input Quaze needs to monitor what you ship.

Why Quaze needs SBOMs

Section titled “Why Quaze needs SBOMs”

Quaze monitors what is actually inside your releases for newly disclosed vulnerabilities. To do that it needs a precise list of components per release. That precise list is the SBOM.

You generate the SBOM. Quaze stores it, watches it against fresh vulnerability data, and routes any new findings.

Supported formats

Section titled “Supported formats”

Quaze ingests two industry-standard SBOM formats natively:

FormatNotes
CycloneDXOWASP project. Tight VEX integration. The format most security-focused tools emit by default.
SPDXLinux Foundation project. ISO/IEC 5962:2021. Strong license-compliance heritage.

Both formats are first-class — there is no conversion step. If your toolchain already emits one or the other, send that.

For a deeper comparison, see the marketing-side article CycloneDX vs SPDX.

What makes a good SBOM

Section titled “What makes a good SBOM”

Quaze produces precise findings when the SBOM is precise. A few things to keep in mind:

  • Include exact versions, not ranges. A finding against library-x@1.3.0 is unambiguous; a finding against library-x@>=1.0 is not.
  • Use Package URLs (PURLs) where the format supports them. PURLs encode the ecosystem (npm, pypi, maven, etc.) along with name and version. Both CycloneDX and SPDX support PURL.
  • Include transitive dependencies. Most SBOM generators do this by default. Make sure transitives are not stripped by build optimizations before the SBOM is generated.
  • Generate the SBOM against the artifact you ship. SBOMs of the source repo and SBOMs of the built artifact can differ; ship the one that matches what runs in production.

How to generate an SBOM

Section titled “How to generate an SBOM”

A few common starting points:

  • Trivy — see the Trivy guide.
  • Syft — Anchore’s SBOM generator. Strong language coverage, runs against images, filesystems, and registries.
  • Package managersnpm sbom, mvn plugins, pip plugins, etc. Often the most accurate option for a single ecosystem.

How often to generate

Section titled “How often to generate”

Generate an SBOM per release. Re-generating between releases is unnecessary — the contents have not changed, and Quaze does not need a fresh SBOM to detect newly disclosed vulnerabilities against components that were already there.

You only need to upload a new SBOM when you ship a new release.