Software Bill of Materials
Liquibase PRO includes a Software Bill of Materials (SBOM) with every product release. The SBOM is a machine-readable inventory of the components bundled with Liquibase. You don't need to configure anything to generate an SBOM. Each official Liquibase Pro release includes SBOM files you can use. SBOM artifacts are pre-packaged and ready for archiving or submission as part of compliance workflows.
Each SBOM includes:
- Package names and version
- Licenses and copyrights
- Dependency relationships
- Checksums for components to verify binary integrity
Note: The SBOM reflects only the components included in the official Liquibase release. It does not update dynamically or include any extensions, files, or checksums for content added by users after installation.
Liquibase PRO includes two SBOM formats, which cover the broadest set of tools and compliance standards: CycoloneDX JSON and SPDX JSON.
- CycloneDX JSON — Developed by OWASP, this format is lightweight and optimized for DevSecOps workflows. It integrates seamlessly with popular tools like Grype, Snyk, Dependency-Track, Anchore, Sonatype, and others.
- SPDX JSON — Maintained by the Linux Foundation, this format is widely used in enterprise and government environments. It is ideal for teams that standardize on SPDX across multiple tools and ecosystems.
Uses
- Security Assesments — Pre-packaged SBOMs are ready to be archived and submitted in security assessments. You can upload your SBOM into static analysis tools, such as Grype, Snyk, OWASP Dependency-Track, Anchore, and JFrog Xray. These tools can parse the SBOM to surface any vulnerabilities, license conflicts, or outdated components.
- CI/CD Artifact Verification — You can store the SBOM alongside the Liquibase version in your software artifact management system (e.g., Artifactory, Nexus, or GitHub Releases). This allows you to track the version of extensions and dependencies used by Liquibase.
- Vendor Procurement — Procurement, security, and compliance teams can use the SBOM to assess Liquibase as part of your broader vendor ecosystem. You can share the SBOM with internal compliance teams, security teams, and third-party assessors. Many vendor questionnaires explicity request SBOM documentation.
Regulatory Compliance
The SBOM helps meet requirements and expectations from regulatory and certification frameworks, such as:
- U.S. Executive Order 14028
- FedRAMP
- SOC 2
- ISO/IEC 27001
SBOM Components
Package Names and Versions
Each component object lists the software library's name and version. This allows vulnerability scanners and auditors to accurately trace known issues and validate version hygiene.
{
"type": "library",
"name": "Apache Commons Lang",
"version": "3.12.0"
}Licenses and Copyrights
Each package includes license metadata and a copyright attribute. This ensures your legal and compliance teams can validate that all components conform to acceptable open-source licensing standards.
{
"licenses": [
{
"license": {
"id": "Apache-2.0",
"name": "Apache License, Version 2.0"
}
}
],
"copyright": "2001-2024 The Apache Software Foundation"
}
Checksums
Each component in the SBOM includes one or more cryptographic hashes. These hashes allow security teams to verify that the components delivered match those originally released. This ensures there has been no tampering or unexpected changes.
{
"hashes": [
{
"alg": "SHA-256",
"content": "d4ef8f3e76a7c95cb999b9e8f3a64b02c57a4d0e0f86d6d48b62db6e7b77c64d"
}
]
}Dependency Relationships
The SBOM includes a complete list of dependency relationships between components. This enables accurate software composition analysis (SCA). SCA shows how third-party libraries relate to one another inside the release.
{
"ref": "pkg:maven/org.liquibase/liquibase-core@4.23.2",
"dependsOn": [
"pkg:maven/org.yaml/snakeyaml@2.0",
"pkg:maven/org.apache.logging.log4j/log4j-core@2.20.0"
]
}