Why New Generation of SBOM Tools Matters

Essentially, this asks developers to centre their SBOM generation efforts around the main branch of a repository.

To expand on this, legacy generation of tooling simply slaps an SBOM to a security scan, resulting in a single SBOM per project. This approach indeed adds little value beyond traditional Software Composition Analysis (SCA).

However, due to the popularity and marketing efforts behind legacy tools, there is a popular perception that SBOMs offer very little – or even no – value beyond meeting compliance requirements.

But this perception does not reflect the reality of the new generation of xBOM tooling. These new tools are designed to implement the Transparency Exchange API (TEA). The key difference is that these new tools recognize that SBOMs / xBOMs must be assigned to a specific release, hardware model, or commit.

This enables several workflows that are beyond the capabilities of legacy tooling:

1. Near real-time tracking of vulnerabilities and security violations for any software or hardware release currently in use.
2. Tracking changes in security posture once such changes are introduced by development. For example, if a new dependency is added, having an audit trail of BOMs allows to establish where it was introduced and what versions are affected.
3. Lifecycle tracking – specifically, for General Availability, End of Support, End of Life statuses.
4. Configurable exchange of the above data via a unified TEA API.

Some of these workflows are already supported by next-generation tools, such as ReARM—which we develop and which works in conjunction with Dependency-Track. Others (mainly lifecycle tracking and data exchange) are currently in development.

Therefore, it is important to distinguish between legacy tooling practices and real improvements in what BOMs actually allow to do. To identify next-generation tools, look for those that are implementing TEA. These tools are the ones most likely to add meaningful value when working with BOMs.