Concepts and objectives¶
By providing a transparent accounting of all software components, the SBOM enables organizations to perform proactive risk management, ensure regulatory compliance, and verify the integrity of the software supply chain.
What is SBOM¶
An SBOM is a machine-readable inventory of everything that makes up a software product - its components, dependencies, and relationships between them.
For every MOSK release, Mirantis publishes an SBOM that lists necessary artifacts, including binaries, container images, and host operating system packages, required to deploy or update MOSK clusters on-premises.
Since MOSK SBOM is standardized and verifiable, it integrates seamlessly with existing governance, risk, and compliance (GRC) tooling, as well as vulnerability and asset-management pipelines.
Why SBOM matters to security and operations¶
An SBOM provides the critical visibility needed to manage the complex software supply chain within modern cloud environments. Specifically, it enables organizations to address the following key areas:
- Faster vulnerability response
Map disclosed CVEs to the exact versions present in a MOSK deployment, prioritize remediation, and provide evidence of exposure (or non-exposure)
- Supply-chain transparency
Gain visibility into third-party and open-source components within the deployment, including OpenStack, OpenSDN, Ceph, StackLight, and so on. Understand their origins and identify dependencies of subsystems
- Tamper detection and provenance
Ensure the integrity of the environment by verifying that both the SBOM and the artifacts consumed originate directly from Mirantis and have not been altered in transit
- License and regulatory compliance
Simplify audits and satisfy regulatory frameworks by tracking license obligations and open-source usage at scale, ensuring that software composition meets all legal and industry requirements
- Operational hygiene
Maintain an up-to-date component inventory to streamline update planning, standardize golden images, and eliminate configuration drift across deployments