What is a software bill of materials, and how does having one change your response when a critical CVE drops in a widely used library?
technical-conceptual · Mid level · cloud-devops-security
What the interviewer is really asking
Assesses whether the candidate understands an SBOM as a machine-readable dependency inventory and can connect it to concrete vulnerability response, not just recite that it 'lists components'.
What to say
- Define an SBOM as a machine-readable inventory of every component and transitive dependency in an artifact, in a standard format like CycloneDX or SPDX, generated at build time so it reflects what actually shipped.
- Explain the response payoff: when something like Log4Shell lands, you query your SBOMs to instantly answer 'which of our 200 services pull this exact version and depth?' instead of grepping repos for days.
- Cover the lifecycle: generate the SBOM in the pipeline, store it alongside the artifact, and continuously scan stored SBOMs against new advisories, optionally pairing it with VEX so you suppress non-exploitable findings.
What to avoid
- Treating an SBOM as a one-time compliance checkbox you produce for an auditor and never query again.
- Claiming a top-level dependency list is enough, ignoring that the real risk usually lives in transitive dependencies the SBOM is meant to surface.
- Conflating the SBOM with the scanner: the SBOM is the inventory, vulnerability correlation against CVE feeds is a separate, ongoing step.
Example answers
Strong: An SBOM is a machine-readable list of every direct and transitive dependency in a build, in CycloneDX or SPDX. We generate one per image in CI and store it with the artifact. When a CVE lands I query SBOMs by package and version to find exactly which services are affected and how deep the dependency sits, instead of guessing.
Weak: It's a list of the open-source libraries we use, like a manifest. It's mostly there so we can show auditors we know what's in our software.
Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.