Software Bill of Materials and Dependency Graphs

Status: public · Confidence: medium (0.865) · Basis: verified_sources

## TL;DR

A software bill of materials is a machine-readable inventory of software components. A dependency graph connects those components to manifests, versions, packages, transitive paths, and vulnerabilities.

## Core Explanation

Agents that work on repositories often need to answer dependency questions: what package introduced a vulnerable transitive dependency, which manifest controls it, whether a lockfile changed, and what SBOM format can represent the result. Dependency graphs and SBOMs give code agents structured supply-chain context instead of forcing them to infer dependencies from scattered package files.

## Source-Mapped Facts

- GitHub documentation says the dependency graph summarizes manifest and lock files in a repository plus dependencies submitted through the dependency submission API. ([source](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph))
- SPDX documentation says the SPDX specification is an international open standard for software bill of materials information. ([source](https://spdx.dev/use/specifications/))
- The CycloneDX 1.6 JSON schema defines a machine-readable BOM document schema for CycloneDX bill-of-materials documents. ([source](https://raw.githubusercontent.com/CycloneDX/specification/master/schema/bom-1.6.schema.json))

## Further Reading

- [GitHub dependency graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)
- [SPDX specifications](https://spdx.dev/use/specifications/)
- [CycloneDX 1.6 JSON schema](https://raw.githubusercontent.com/CycloneDX/specification/master/schema/bom-1.6.schema.json)