SBOMs Are the New Baseline — Here’s How Liquibase Pro Delivers Them

Software supply chain security is no longer optional. Supply chain attacks increased 431% between 2021 and 2023 and are expected to continue to rise as software delivery becomes increasingly interconnected. Attackers are specifically targeting software supply chains comprising open-source and commercial software dependencies, third-party APIs, and DevOps toolchains. 

‍

SBOMs play a crucial role in mitigating software supply chain risks by providing visibility into the components and dependencies of software. This visibility allows organizations to identify and address potential vulnerabilities before they can be exploited. This enhanced visibility into what’s in a piece of software makes it easier to identify dependencies and vulnerabilities and manage risk.

Enter Liquibase Pro SBOM, a new asset in Liquibase Pro that bundles Software Bill of Materials (SBOM) artifacts directly with every product release. By including a software bill of materials (SBOM) in our Liquibase Pro product releases, Liquibase helps organizations ensure compliance, enhance security, and streamline risk management audits—all without extra configuration or CLI work. This helps customers meet security and governance expectations effortlessly without additional overhead. These SBOMs are fully compliant with the new CISA guidance and give security and compliance teams what they need to build trust, reduce risk, and maintain audit readiness.

What is Liquibase Pro SBOM?

A Software Bill of Materials (SBOM) is a formal record of all components—libraries, packages, and dependencies—that make up a software product.

With Liquibase Pro SBOM, Liquibase Pro customers now receive machine-readable SBOM files (in CycloneDX and SPDX formats) bundled with every official Liquibase release.

These files contain:

• Package names and versions
• Licenses and copyrights
• Checksums for verification
• Dependency relationships

By shipping SBOMs with each release, Liquibase Pro gives enterprise teams the assurance they need to manage vendor risk and meet internal or external compliance standards.

Why is Liquibase Pro SBOM important?

Enterprise teams today must prove what software they’re running—and from whom. Liquibase Pro SBOM support helps customers meet security and governance expectations without additional overhead.

Supports regulatory compliance

• Aligns with executive mandates like U.S. EO 14028
• Meets growing expectations from frameworks like FedRAMP, SOC 2, ISO 27001

Enhances software supply chain transparency

• Shows exactly what’s inside the Liquibase product you depend on
• Helps detect known vulnerabilities or outdated components

Simplifies vendor risk reviews

• Procurement, security, and compliance teams can use the SBOM to assess Liquibase as part of your broader vendor ecosystem

Improves security documentation for audits

• Pre-packaged SBOMs are ready to be archived and submitted in security assessments
• Removes the need for reverse-engineering or manually parsing open-source components

‍

What Types of SBOMs Does Liquibase Provide?

Liquibase Pro includes two SBOM formats with every release, covering the broadest set of tools and compliance standards:

CycloneDX JSON

• Developed by OWASP
• Lightweight and optimized for DevSecOps tools
• Integrates with tools like Grype, Snyk, Dependency-Track, Anchore, Sonatype, etc.

SPDX JSON

• Maintained by the Linux Foundation
• Widely used in enterprise and government settings
• Ideal for teams standardizing on SPDX across multiple tools

‍

‍

‍

What’s Inside the Liquibase Pro SBOM?

Every Liquibase Pro release now includes a machine-readable SBOM in CycloneDX and SPDX JSON formats. These files provide key details security and compliance teams rely on when verifying third-party software. 

Here’s an example of how the Liquibase Pro SBOM meets industry expectations—with real examples from our official release.

1. Package Names and Versions

Each component entry lists the software library’s name and version explicitly:

{

  "type": "library",

  "name": "Apache Commons Lang",

  "version": "3.12.0"

}

This allows vulnerability scanners and auditors to accurately trace known issues and validate version hygiene.

‍

2. Licenses and Copyrights

Each package includes license metadata as well as copyright attribution:

{

  "licenses": [

    {

      "license": {

        "id": "Apache-2.0",

        "name": "Apache License, Version 2.0"

      }

    }

  ],

  "copyright": "2001-2024 The Apache Software Foundation"

}

This ensures your legal and compliance teams can validate that all components conform to acceptable open-source licensing standards.

‍

Checksums for Verification

To ensure binary integrity, each component in the SBOM includes one or more cryptographic hashes:

{

  "hashes": [

    {

      "alg": "SHA-256",

      "content": "d4ef8f3e76a7c95cb999b9e8f3a64b02c57a4d0e0f86d6d48b62db6e7b77c64d"

    }

  ]

}

These hashes allow security teams to verify that the components delivered match those originally released—no tampering or unexpected changes.

‍

 Dependency Relationships

The SBOM includes a complete list of dependency relationships between components:

{

  "ref": "pkg:maven/org.liquibase/liquibase-core@4.23.2",

  "dependsOn": [

    "pkg:maven/org.yaml/snakeyaml@2.0",

    "pkg:maven/org.apache.logging.log4j/log4j-core@2.20.0"

  ]

}

This enables accurate software composition analysis (SCA), showing how third-party libraries relate to one another inside the release.

‍

How to Use Liquibase Pro SBOMs Successfully

You don’t need to configure anything to generate a Liquibase Pro SBOM. Instead, each official Liquibase Pro release includes SBOM files you can immediately use.

Step 1: Download the Latest Liquibase Pro Release

Visit https://www.liquibase.com/download-pro to download the latest version of Liquibase Pro. The distributable package includes:

• Liquibase binaries
• SBOM files (liquibase-pro-<version>-cyclonedx.json and liquibase-pro-<version>-spdx.json)

Step 2: Archive the SBOM in Your Internal Repository

• Store the SBOM alongside the Liquibase version in your software artifact management system (e.g., Artifactory, Nexus, or GitHub Releases)
• This allows for versioned tracking of software provenance

Step 3: Run SBOM Scans

• Feed the SBOM into static analysis tools like:
  
  • Grype
  • Snyk
  • OWASP Dependency-Track
  • Anchore
  • JFrog Xray
    
    
• These tools will parse the SBOM to surface any vulnerabilities, license conflicts, or outdated components

Step 4: Use the SBOM in Audit & Vendor Reviews

• Share the SBOM with internal compliance teams, security teams, or third-party assessors
• Many vendor questionnaires now explicitly ask for SBOM documentation

‍

Common Use Cases for Liquibase Pro SBOM

Security Assessments

Security-conscious organizations and teams going through SOC 2, ISO 27001, or FedRAMP audits can use the Liquibase PRO SBOM as proof of transparency and supply chain diligence.

CI/CD Artifact Verification

You can store Liquibase’s SBOM artifacts alongside your build metadata for downstream consumption or historical review.

Vendor Procurement

Procurement teams can evaluate the Liquibase Pro SBOM for license compliance or security risk analysis before approving tool purchases.

‍

Get Started

• If you're already a Liquibase Pro customer, visit our docs to start using SBOMs in your pipelines.
• Not yet using Pro? Request a demo or contact us to learn more.

‍

Engineering team acknowledgement: Thank you to Sayali Mohadikar and Jake Newton on the Liquibase DevOps Team for their work to build the SBOM generation feature for Liquibase Pro.