• SBOMs overview: SBOMs is a rapidly emerging field. Many vendors offer tools to generate them automatically. The simplest SBOM should include everything making up software, like dependencies. But there are issues like dealing with test dependencies and runtime environments (easier in dockerized environments, harder in bare metal or VMs). An SBOM is not an absolute truth and generation should be in CI/CD pipeline.
• Example project: Using Django-CMS and its quickstart. There is a requirements.txt file for Python projects. Tools like cyclonedx-python and spdx-sbom-generator can generate SBOMs in different formats. After generating an SBOM for the application layer, using docker sbom with syft gives an SBOM for the Docker environment which is much larger as it includes runtime and application stack.
• Sub-dependencies issue: Django-CMS has a package.json with a dependency like babel-runtime. A tool like osv-scanner might not pick up on vulnerabilities in this transitive dependency. "Exploding" the SBOM is outside the scope of this article.