# V2 Software Bill of Materials ## Control Objective Automatically creating accurate Software Bill of Materials (SBOM) in the build pipeline is one indicator of mature development processes. SBOMs should be a machine readable format. Each format has different capabilities and use-cases they excel in. Part of SBOM adoption is identifying the use-cases and capabilities best suited to specific purposes. While SBOM format standardization across an organization may be desirable, it may be necessary to adopt more than one to meet functional, contractual, compliance, or regulatory requirements. ## Verification Requirements | # | Description | L1 | L2 | L3 | | :------: | ----------------------------------------------------------------------------------------------------------------------- | :-: | :-: | :-: | | **2.1** | A structured, machine readable software bill of materials (SBOM) format is present | ✓ | ✓ | ✓ | | **2.2** | SBOM creation is automated and reproducible | | ✓ | ✓ | | **2.3** | Each SBOM has a unique identifier | ✓ | ✓ | ✓ | | **2.4** | SBOM has been signed by publisher, supplier, or certifying authority | | ✓ | ✓ | | **2.5** | SBOM signature verification exists | | ✓ | ✓ | | **2.6** | SBOM signature verification is performed | | | ✓ | | **2.7** | SBOM is timestamped | ✓ | ✓ | ✓ | | **2.8** | SBOM is analyzed for risk | ✓ | ✓ | ✓ | | **2.9** | SBOM contains a complete and accurate inventory of all components the SBOM describes | ✓ | ✓ | ✓ | | **2.10** | SBOM contains an accurate inventory of all test components for the asset or application it describes | | ✓ | ✓ | | **2.11** | SBOM contains metadata about the asset or software the SBOM describes | | ✓ | ✓ | | **2.12** | Component identifiers are derived from their native ecosystems (if applicable) | ✓ | ✓ | ✓ | | **2.13** | Component point of origin is identified in a consistent, machine readable format (e.g. PURL) | | | ✓ | | **2.14** | Components defined in SBOM have accurate license information | ✓ | ✓ | ✓ | | **2.15** | Components defined in SBOM have valid SPDX license ID's or expressions (if applicable) | | ✓ | ✓ | | **2.16** | Components defined in SBOM have valid copyright statements | | | ✓ | | **2.17** | Components defined in SBOM which have been modified from the original have detailed provenance and pedigree information | | | ✓ | | **2.18** | Components defined in SBOM have one or more file hashes (SHA-256, SHA-512, etc) | | | ✓ | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://owasp-scvs.gitbook.io/scvs/v2-software-bill-of-materials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.