Solving Software Supply Chain Transparency

Open Source tooling for generating, notarizing, linking and validating Software Bills of Materials (SBOM)

What is an SBOM?

A complete, formally structured list of components, libraries, and modules that are required to build a given piece of software and the supply chain relationships between them. Source: NTIA

There are machine-readable, standard formats for SBOMs, like SPDX and CycloneDX. However, an SBOM could be just a spreadsheet or a text document.

The supply chain relationships between SBOMs were, up until now, missing. The SBOM ledger leverages software and metadata integrity and authenticity, allowing users to verify that the source of the SBOM data was not tampered with

SBOM CycloneDX Code

Generate your SBOM now

Using our public API you can generate your own SBOM for free, safely and anonymously. Just download a CLI or the Audit Workbench (apple icon apple icon linux icon github icon) and compare your code against the millions of OSS components in our knowledgebase to identify even small snippets.

Repository URLs indexed
  • github.com 59,649,105
  • npmjs.org 35,295,014
  • stackoverflow.com 28,793,907
  • maven.org 24,441,233
  • fedoraproject.org 12,582,055
  • debian.org 10,637,881
  • pythonhosted.org 9,871,721
  • rpmfind.net 9,070,167
  • nuget.org 7,468,405
  • sourceforge.net 2,067,833
  • googlesource.com 1,844,873
  • bitbucket.org 1,769,859
  • gnome.org 1,441,884
  • rubygems.org 1,434,677
  • gitee.com 885,844
  • gitlab.com 552,760
  • java2s.com 499,518
  • spring.io 419,554
  • drupal.org 348,719
  • apache.org 178,032
  • cpan.org 158,119
  • opensuse.org 80,581
  • kernel.org 78,410
  • launchpad.net 70,142
  • eclipse.org 58,795
  • nasm.us 33,857
  • gnu.org 33,351
  • angularjs.org 27,721
  • videolan.org 21,102
  • nodejs.org 11,859
  • unity.com 9,749
  • centos.org 9,666
  • apple.com 7,499
  • rpmfusion.org 7,029
  • isc.org 6,106
  • nmap.org 1,975
  • postgresql 1,405
  • mozilla.org 1,020
  • jquery.com 473
  • sudo.ws 98
  • slf4j.org 88
  • zlib.net 71
  • script.aculo.us 30

Introducing

  • The decentralized SBOM Ledger

    Blockchain technologies provide a foundation to meet the technical and ethical challenges of establishing trust and information perpetuity. However, access to Blockchain technologies is difficult for corporations since they involve the use of cryptocurrencies.

    The Software Transparency Foundation aims at creating the first decentralized SBOM ledger which connects and validates SBOMs regardless of their format. SPDX, CycloneDX and even Excel or CSV files can be interconnected and validating, enabling traceability across the supply chain tree.

  • Abstraction layer for Blockchain registration

    Software Transparency Foundation proposes to solve the issue of Blockchain transaction fees, by providing a set of Open Source tools that allow registration of SBOM metadata, validation of declared software integrity, and traceability of preceding SBOMs.

  • License Compliance and Cybersecurity

    President Biden’s “Executive Order on Improving the Nation’s Cybersecurity” (May 12, 2021) adds momentum to the SBOM movement by specifically requiring “providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website”.

    Perhaps the biggest single challenge to supply-chain transparency and the SBOM model is the abundance of open ‘standards’ intended to reduce redundant work in the supply-chain by providing common processes and formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.

    With the proposal of the decentralized SBOM Ledger, we propose to bridge this gap by enabling format-agnostic SBOM connectivity.

The first Open Source SBOM ledger

  • Code icon

    Generate SBOM

    Open Source tooling to generate a standardized Software Bill of Materials

    Learn more
  • Sticky note icon

    Notarize SBOM

    Tooling to notarize your Software Bill of Materials for external distribution

    Learn more
  • Comment icon

    Relate SBOM

    Open Source tooling to generate a standardized Software Bill of Materials

    Learn more
  • Signed document icon

    Validate SBOM

    Open Source tooling to generate a standardized Software Bill of Materials

    Learn more