SBOM or Software Bill of Materials is a standard to document software components, dependencies, vulnerabilities, patents, licenses etc associated with a particular product.
This will help software companies and individual developers to identify risks such as outdated components, licensing conflicts, or vulnerabilities.
As stated in the Wikipedia article:
“A software bill of materials (SBOM) declares the inventory of components used to build a software artifact, including any open source and proprietary software components. It is the software analogue to the traditional manufacturing BOM, which is used as part of supply chain management.“
The ability to create an SBOM is becoming increasingly important. In some cases, authorities may require an SBOM. You may also be asked by your customers to provide an SBOM for your products. There are also new EU regulations concerning security issues and SBOM.
The goal for this report section is to create an SBOM file in JSON format according to the CycloneDX specification, currently in version 1.7 released October 2025. CycloneDX is supported by the OWASP organization (a non-profit foundation focused on software security). Another SBOM standard is SPDX (Software Package Data Exchange).
Read more about SBOM:
Wikipedia: https://en.wikipedia.org/wiki/Software_supply_chain
CycloneDX: https://cyclonedx.org/capabilities/sbom/
We especially recommend:
https://cyclonedx.org/guides/OWASP_CycloneDX-Authoritative-Guide-to-SBOM-en.pdf
These resources provide more in-depth information.
In this first implementation of SBOM in Pascal Analyzer, we have marked the report section as “experimental”. This means that we especially encourage feedback, critics, comments and suggestions.
It is a new feature in Pascal Analyzer, and will evolve. Expect modifications plus additions and improvements. If you already find it useful, go ahead and use it. Otherwise, you can help us with pointing out areas to improve. Perhaps you will find the resulting JSON file usable, but you may have to merge it with other settings produced manually or with other tools.
The SBOM is primarily an inventory of all artifacts in your project, like first-party files and third-party libraries. Another important objective is to document dependencies between different components.
While Pascal Analyzer knows a lot about your own files, you may have to provide information about your third-party libraries, and for other items in the SBOM that you want included, like vulnerabilities, licenses, patents etc. Many third-party libraries are automatically recognized.
It is also possible to generate SBOM in the evaluation version. But in contrast to the full version, many values written to the JSON output will be randomly replaced with "???".
See also:
