<!-- LLM_VERSION_INFO
FORMAT: text/markdown
CONTENT_TYPE: article
ORIGINAL_URL: https://www.ketryx.com/blog/how-to-generate-an-sbom-software-bill-of-materials-fast
ALTERNATE_VERSION: blog/how-to-generate-an-sbom-software-bill-of-materials-fast.html (text/html)
EXTRACTION_DATE: 2026-05-05T02:41:35.231Z

This is the markdown version with text-only content (images converted to alt-text).
For rich formatting with images, request the HTML version at: blog/how-to-generate-an-sbom-software-bill-of-materials-fast.html
-->

# How to generate an SBOM (Software Bill of Materials) fast

**Jan Pöschko**  
**November 2, 2023**

## Table of Contents
- [What is an SBOM?](/content/blog/how-to-generate-an-sbom-software-bill-of-materials-fast#what-is-an-sbom/index.html)
- [Who needs an SBOM?](/content/blog/how-to-generate-an-sbom-software-bill-of-materials-fast#who-needs-an-sbom/index.html)
- [When to create a software bill of materials (SBOM)](/content/blog/how-to-generate-an-sbom-software-bill-of-materials-fast#when-to-create-a-software-bill-of-materials-sbom/index.html)
- [Are there open-source SBOM generators & SBOM Tools?](/content/blog/how-to-generate-an-sbom-software-bill-of-materials-fast#are-there-open-source-sbom-generators-and-sbom-tools/index.html)
- [Step by Step instructions to Create an SBOM and What’s Included](/content/blog/how-to-generate-an-sbom-software-bill-of-materials-fast#step-by-step-instructions-to-create-an-sbom-and-whats-included/index.html)
- [Ketryx generates SBOMs in seconds](/content/blog/how-to-generate-an-sbom-software-bill-of-materials-fast#ketryx-generates-sboms-in-seconds/index.html)

## What is an SBOM?
A software bill of materials (SBOM) derives from the traditional use of a bill of materials (BOM) in manufacturing, which catalogs the raw materials and components of a product. An SBOM is a complete list of all the software components used in a product, including commercial off-the-shelf (COTS) and open-source components.

As software becomes increasingly integral to the operation of medical devices, regulatory agencies such as the FDA have recognized the need for transparency and traceability in the [software supply chain](/content/blog/what-is-soup/index.html). An SBOM is a key part of meeting these needs. Creating and maintaining an SBOM presents challenges because of the inherent amount of change in software and the huge number of dependencies modern software products use.

## Who needs an SBOM?
Any organization involved in the development and distribution of software, especially in industries with regulatory oversight, can benefit from having an SBOM. However, medical device software manufacturers have a critical need for SBOMs due to the stringent regulations and safety requirements imposed by regulatory agencies such as the FDA.

[The latest FDA guidance](/content/blog/fda-drops-an-sbom/index.html) on cybersecurity in medical devices states that software manufacturers and other regulated organizations need an SBOM to meet regulatory requirements, ensure software transparency, and manage risks effectively. As of October 1, 2023, manufacturers’ submissions can be rejected by the FDA if an SBOM and a plan to monitor and respond to vulnerabilities is not included. By following a step-by-step guide and using SBOM generators or tools, organizations can streamline the SBOM generation process and improve the overall security and compliance of their software products.

## When to create a software bill of materials (SBOM)
You should incorporate SBOM generation as a standard practice throughout the entire software development lifecycle to ensure that the SBOM remains comprehensive, accurate, and aligned with the software being developed. Creating an SBOM early in the lifecycle allows better tracking and documentation of software components as they are integrated into the product.

Waiting to create an SBOM until later stages of development makes it difficult to identify all of the used components and their versions, especially if the development process has frequent updates or changes. Additionally, delays in creating the SBOM can impede compliance with regulatory requirements, as well as hinder vulnerability management and risk assessment processes, by providing an incomplete overview of the project.

## Are there open-source SBOM generators & SBOM Tools?
Yes, there are SBOM generators and tools available that can assist in the creation and management of the software bill of materials (SBOMs). However, while many of these tools claim to automate the SBOM management process, the truth is that there is still a large amount of manual intervention and configuration that falls on the development and compliance teams who use them.

It's important to note that the availability and features of specific tools may vary. It's recommended to explore and evaluate different options based on your organization's specific needs and requirements.

## Step by Step instructions to Create an SBOM and What’s Included
Medical device software manufacturers consistently lose time, and developers, adhering to cybersecurity-related documentation requirements.

1. **Proprietary, open-source software and other third-party components must be documented and updated with even small changes to any component.** 
    - _How it's done: Development teams track down each component in their system and prepare for compilation into an SBOM._
2. **Create a list of components:** Once all components are identified, software teams compile the list into a traditional SBOM. Information must include the Component name, version number, software manufacturer, level of support provided by the software manufacturer, the end-of-support date, and any known vulnerabilities.
    - _How it's done: Traditionally, developer teams achieve this task by manually copying and pasting into Excel spreadsheets or a siloed documentation tool._
3. **Determine dependencies:** The next step is to determine the dependencies between the components.
    - _How it's done: Teams manually import their dependencies into their traceability matrix._
4. **Verify component licenses:** The licenses of each software component need to be verified to ensure compliance with regulatory requirements.
    - _How it's done: Teams go through and verify each component one by one._
5. **Document and maintain the SBOM:** Documenting and maintaining your SBOM over time is a long-term stressor for software development teams.
    - _How it's done: The demand to update the SBOM after each small change piles up on the development team._
6. **Monitor Vulnerabilities:** New vulnerabilities are constantly being identified.
    - _How it's done: Personnel in the organization monitor the dependencies contained in the SBOM._

## Ketryx generates SBOMs in seconds
Ketryx enables organizations to create an FDA-compliant SBOM in seconds and easily manage it over the course of the product life cycle. **How it’s done:**

1. Open your Ketryx Project dashboard.
2. Select “Create Project” and copy your Git Repository URL into the designated box.
3. Watch your updated SBOM generate in seconds, along with much of the FDA required metadata for each item.
4. Assign risk-levels for each dependency and enter in FDA-required information.

If you’re ready to learn about Ketryx Open Supply Chain and our truly automated SBOM tool that leverages AI/ML, [try it here.](https://app.ketryx.com/auth/signup?callbackUrl=https%3A%2F%2Fapp.ketryx.com&_gl=1*pgttnn*_gcl_aw*R0NMLjE2OTc0Njg0MTYuQ2p3S0NBand2ck9wQmhCZEVpd0FSNTgtM0dBWE53a3VHb0dVR2Z0MmNQd05PLTZqWXNOZGNrd1UtVlRONTQ5ZE41R3BXRjhpaGVCT0Nob0NaSWtRQXZEX0J3RQ..*_gcl_au*OTc2OTkyMDE2LjE2OTgwNzQyMDI.)

Continue exploring the topic of SBOMs and the newest FDA requirements with Ketryx’s blog post “ [The FDA drops a cybersecurity compliance SBOM in 2023.](/content/blog/fda-drops-an-sbom/index.html)"