SBOM

Last updated: September 2, 2025

Liquibase Secure includes a Software Bill of Materials (SBOM) with every product release. The SBOM is a machine-readable inventory of the components bundled with Liquibase. You don't need to configure anything to generate an SBOM. Each official Liquibase Secure release includes SBOM files you can use. SBOM artifacts are pre-packaged and ready for archiving or submission as part of compliance workflows. The SBOM is located in the /liquibase directory within your Liquibase installation, for example <install_path>/liquibase/SBOM.

If you're not sure where to find your install_path, try running which liquibase for macOS/Linux or where liquibase on Windows.

Each SBOM includes:

  • Package names and version

  • Licenses and copyrights

  • Dependency relationships

  • Checksums for components to verify binary integrity

Note: The SBOM reflects only the components included in the official Liquibase release. It does not update dynamically or include any extensions, files, or checksums for content added by users after installation.

Liquibase Secure includes two SBOM formats covering the broadest set of tools and compliance standards: CycoloneDX JSON and SPDX JSON.

  • CycloneDX JSON — Developed by OWASP, this format is lightweight and optimized for DevSecOps workflows. It integrates seamlessly with popular tools like Grype, Snyk, Dependency-Track, Anchore, and Sonatype.

  • SPDX JSON — Maintained by the Linux Foundation, this format is widely used in enterprise and government environments. It is ideal for teams that standardize on SPDX across multiple tools and ecosystems.

Uses

  • Security Assessments — Pre-packaged SBOMs are ready to be archived and submitted in security assessments. You can upload your SBOM into static analysis tools like Grype, Snyk, OWASP Dependency-Track, Anchore, and JFrog Xray. These tools can parse the SBOM to surface any vulnerabilities, license conflicts, or outdated components.

  • CI/CD Artifact Verification — You can store the SBOM alongside the Liquibase version in your software artifact management system (e.g., Artifactory, Nexus, or GitHub Releases). This lets you track the version of extensions and dependencies used by Liquibase.

  • Vendor Procurement — Procurement, security, and compliance teams can use the SBOM to assess Liquibase as part of their broader vendor ecosystem. You can share the SBOM with internal compliance teams, security teams, and third-party assessors. Many vendor questionnaires explicitly request SBOM documentation.

Regulatory compliance

The SBOM helps meet requirements and expectations from regulatory and certification frameworks, such as:

  • U.S. Executive Order 14028

  • FedRAMP

  • SOC 2

  • ISO/IEC 27001

SBOM components

Package names and versions

Each component object lists the software library's name and version. This allows vulnerability scanners and auditors to accurately trace known issues and validate version hygiene.

{
  "type": "library",
  "name": "Apache Commons Lang",
  "version": "3.12.0"
}

Licenses and copyrights

Each package includes license metadata and a copyright attribute. This ensures your legal and compliance teams can validate that all components conform to acceptable open-source licensing standards.

{			
  "licenses": [			
    {			
      "license": {		
        "id": "Apache-2.0",			
        "name": "Apache License, Version 2.0"			
      }			
    }				
  ],			
  "copyright": "2001-2024 The Apache Software Foundation"			

Checksums

Each component in the SBOM includes one or more cryptographic hashes. These hashes allow security teams to verify that the components delivered match those originally released, ensuring there has been no tampering or unexpected changes.

{
  "hashes": [
    {
      "alg": "SHA-256",
      "content": "d4ef8f3e76a7c95cb999b9e8f3a64b02c57a4d0e0f86d6d48b62db6e7b77c64d"
    }
  ]
}

Dependency relationships

The SBOM includes a complete list of dependency relationships between components. This enables accurate Software Composition Analysis (SCA). SCA shows how third-party libraries relate to one another inside the release.

{
  "ref": "pkg:maven/org.liquibase/liquibase-core@4.23.2",
  "dependsOn": [
    "pkg:maven/org.yaml/snakeyaml@2.0",
    "pkg:maven/org.apache.logging.log4j/log4j-core@2.20.0"
  ]
}