Glossary.

A structured, machine-readable inventory of every third-party software component in a product, including exact version numbers. The SBOM is the foundation that lets a manufacturer, regulator, or customer match what is inside a device against known cybersecurity vulnerabilities.

A public catalogue of disclosed cybersecurity vulnerabilities, each assigned a unique identifier (e.g. CVE-2014-0160 for Heartbleed). When a regulator or customer asks whether a device is affected by a specific CVE, the SBOM is what lets you answer.

An open ISO-standardised file format for SBOMs, widely used in open-source ecosystems. SPDX documents can be expressed as JSON, YAML, or tag-value text and are accepted by both FDA and EU regulators.

An OWASP-led SBOM file format with first-class support for vulnerability and exploitability data. CycloneDX is often preferred when an SBOM is paired with an ongoing post-market vulnerability process.

A companion document to an SBOM that records, for each known vulnerability, whether the device is actually affected and why. VEX is what turns a noisy SBOM-plus-CVE-list into a defensible regulatory and customer-facing answer.