Skip to content(if available)orjump to list(if available)

Could lockfiles just be SBOMs?

Could lockfiles just be SBOMs?

8 comments

·December 24, 2025
Visit

phendrenad2

> the security world has been pushing CycloneDX and SPDX

> CycloneDX supports JSON, XML, and YAML

And SPDX is JSON.

Are there any other examples of government-mandated non-human-readable file formats? I feel like bureaucracies have a natural tendency to water down requirements such as this and instead focuses on getting wet signatures on pen-and-paper.

endorphine

From https://en.wikipedia.org/wiki/Software_supply_chain:

> A software bill of materials (SBOM) declares the inventory of components used to build a software artifact, including any open source and proprietary software components. It is the software analogue to the traditional manufacturing BOM, which is used as part of supply chain management.

woodruffw

This is a great summary, although I think I'm more bearish on SBOMs than Andrew is: my experience integrating them so far (in both pip-audit and uv) has been that there's much more malleability at the representation level than the presence of a standard might imply, and that consumers have adapted (a la Postel) to this reality by being very permissive with the kinds of broken stuff they permit when ingesting third-party SBOMs.

(Case in point: pip-audit's CycloneDX emission was subtly incorrect for years, and nobody noticed[1].)

[1]: https://github.com/pypa/pip-audit/pull/981

zingar

In hearing the SBOM term for the first time from that article and the linked Wikipedia page. For the ignorant like me: what is it that SBOM is used for that lockfiles aren’t? Everything in the article is something that I’m used to seeing automated scanners using lockfiles for.

Is it just that the two are used by different communities? What is the SBOM community?

edoceo

In many cases the lock files are for one part of the stack. Like npm and composer and $other_lang thing. sBOM is when all are together and version-pinned. (I've over simplified).

Edit: for my domain we have Alpine, Debian, PHP, JS, Go in the stack. So our BOM has all that (and dependencies). It's a big list. Some is just necessary base (Alpine, Debian) but some are core stack and other are edge (dependency on python lib when we're mostly Rust (or something)).

Mirror/Vendor all these things for supply-chain integrity (it's what they tell me)

null

[deleted]

LoganDark

> what is it that SBOM is used for that lockfiles aren’t?

Compliance. The article mentions "the EU’s Cyber Resilience Act will push vendors toward providing SBOMs", and having package managers generate SBOMs directly would certainly be convenient for that.

firloop

Another drawback could be that package manager lockfile schemas are optimized for performance[0]. I wouldn't appreciate seeing slower install times by default - especially if the lockfile could be converted with other tooling.

[0]: https://bun.com/blog/behind-the-scenes-of-bun-install#optimi...