What is an SBOM?
A complete, formally structured list of components, libraries, and modules that are required to build a given piece of software and the supply chain relationships between them. Source: NTIA
There are machine-readable, standard formats for SBOMs, like SPDX and CycloneDX. However, an SBOM could be just a spreadsheet or a text document.
The supply chain relationships between SBOMs were, up until now, missing. The SBOM ledger leverages software and metadata integrity and authenticity, allowing users to verify that the source of the SBOM data was not tampered with.
Generate your SBOM now
Using our public API you can generate your own SBOM for free, safely and anonymously. Just download a CLI or the Audit Workbench ( ) and compare your code against the millions of OSS components in our knowledgebase to identify even small snippets.
Repository
URLs indexed
github.com
64,700,512
npmjs.org
stackoverflow.com
maven.org
36,239,327
28,793,907
25,526,021
debian.org
12,647,707
fedoraproject.org
12,582,055
pythonhosted.org
10,664,263
rpmfind.net
9,070,167
nuget.org
7,933,790
sourceforge.net
2,067,833
googlesource.com
1,957,007
bitbucket.org
1,790,083
rubygems.org
1,469,858
gnome.org
1,444,572
gitee.com
908,650
gitlab.com
599,348
java2s.com
499,518
spring.io
419,554
drupal.org
348,719
apache.org
178,032
cpan.org
158,119
opensuse.org
80,581
kernel.org
78,550
launchpad.net
70,402
eclipse.org
69,378
nasm.us
33,857
gnu.org
33,351
angularjs.org
27,721
videolan.org
21,102
nodejs.org
11,859
unity.com
10,045
centos.org
9,666
apple.com
7,499
rpmfusion.org
7,029
isc.org
6,106
nmap.org
1,975
postgresql
1,405
mozilla.org
1,020
jquery.com
473
sudo.ws
98
slf4j.org
88
zlib.net
71
script.aculo.us
30
INTRODUCING
The decentralized SBOM Ledger
Blockchain technologies provide a foundation to meet the technical and ethical challenges of establishing trust and information perpetuity. However, access to Blockchain technologies is difficult for corporations since they involve the use of cryptocurrencies.
The Software Transparency Foundation aims at creating the first decentralized SBOM ledger which connects and validates SBOMs regardless of their format. SPDX, CycloneDX and even Excel or CSV files can be interconnected and validating, enabling traceability across the supply chain tree.
Abstraction layer for Blockchain registration
Software Transparency Foundation proposes to solve the issue of Blockchain transaction fees, by providing a set of Open Source tools that allow registration of SBOM metadata, validation of declared software integrity, and traceability of preceding SBOMs.
License Compliance and Cybersecurity
President Biden’s “Executive Order on Improving the Nation’s Cybersecurity” (May 12, 2021) adds momentum to the SBOM movement by specifically requiring “providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website”.
Perhaps the biggest single challenge to supply-chain transparency and the SBOM model is the abundance of open ‘standards’ intended to reduce redundant work in the supply-chain by providing common processes and formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.
With the proposal of the decentralized SBOM Ledger, we propose to bridge this gap by enabling format-agnostic SBOM connectivity.