Think of the SBOM as a "table of contents" for the software you are receiving. Another metaphors that has been used is the "nutrition label" that you get in all packaged food.

So, it's a list of the "software components" that are inside a piece of software. And then you add metadata about each of these components: what's its name? its version? its hash? Up to now we're in lockfile territory.

But you want more information: what is the license? who supplied it? what is the security status? does it have known CVEs? are they relevant?

And then you go to special cases, like "AI" software: oh, it's a model? how was it trained? on which data? Or like software that has to be certified, to be used when safety is important.

An SBOM is capable of providing all this information. Take a look at the different parts that SPDX provides, and it's an ever expanding area.

In many cases the lock files are for one part of the stack. Like npm and composer and $other_lang thing. sBOM is when all are together and version-pinned. (I've over simplified).

Edit: for my domain we have Alpine, Debian, PHP, JS, Go in the stack. So our BOM has all that (and dependencies). It's a big list. Some is just necessary base (Alpine, Debian) but some are core stack and other are edge (dependency on python lib when we're mostly Rust (or something)).

Mirror/Vendor all these things for supply-chain integrity (it's what they tell me)

SBOMs are a solution intended to help solve a couple of problems:

1) help identify and remediate software that has been built with vulnerable packages (think log4j).

2) help protect against supply chain compromise as the SBOM contains hashes that allow packages to be verified

Software licensing information is the big use case where SPDX originated from.

In CycloneDX you can also express things like attestations/certifications, possibly down to the code review level (although I think nobody does that).

> what is it that SBOM is used for that lockfiles aren’t?

Compliance. The article mentions "the EU’s Cyber Resilience Act will push vendors toward providing SBOMs", and having package managers generate SBOMs directly would certainly be convenient for that.