"SBOMs in Practice: SPDX, CycloneDX, and CI Automation for Real Systems"
SBOMs are easy to generate and hard to trust. This book is written for experienced engineers—security, platform, DevOps, and build/release leaders—who need SBOMs to function as dependable production artifacts rather than compliance checkboxes. It focuses on the realities that break automation: ambiguous component identity, lossy format conversions, incomplete dependency graphs, and the operational drift between what you built and what you actually deployed.
You'll learn to design SBOMs that correlate cleanly with vulnerability and license data, using pragmatic identity strategies (purl, CPE where unavoidable, and digests when they truly help). The book goes deep on graph semantics for impact analysis, interoperability constraints across serializations, and the practical tradeoffs of SPDX (especially licensing fidelity) versus CycloneDX (security-centric modeling, services, and completeness signaling). It then ties everything together with scalable generation strategies—build, source/lockfile, binary/image, and runtime views—and a production CI blueprint with normalization, validation, diffing, drift detection, policy gates, VEX workflows, signing/provenance, and distribution.
Expect hands-on, pipeline-oriented guidance with decision criteria and failure modes called out explicitly. Readers should already be comfortable with modern build systems, dependency management, and CI/CD; the differentiator here is turning SBOM theory into an end-to-end, defensible operational capability.
