Solving Software Supply Chain Transparency

Open Source tooling for generating, notarizing, linking and validating Software Bills of Materials (SBOM)

What is an SBOM?

A complete, formally structured list of components, libraries, and modules that are required to build a given piece of software and the supply chain relationships between them. Source: NTIA

There are machine-readable, standard formats for SBOMs, like SPDX and CycloneDX. However, an SBOM could be just a spreadsheet or a text document.

The supply chain relationships between SBOMs were, up until now, missing. The SBOM ledger leverages software and metadata integrity and authenticity, allowing users to verify that the source of the SBOM data was not tampered with.

Generate your SBOM now

Using our public API you can generate your own SBOM for free, safely and anonymously. Just download a CLI or the Audit Workbench ( ) and compare your code against the millions of OSS components in our knowledgebase to identify even small snippets.

Repository

URLs indexed

github.com

93,671,523

npmjs.org

49,522,742

maven.org

32,732,610

stackoverflow.com

28,793,907

debian.org

25,206,487

pythonhosted.org

16,435,936

fedoraproject.org

12,582,055

nuget.org

10,847,773

rpmfind.net

9,070,167

sourceforge.net

2,708,944

googlesource.com

2,480,340

bitbucket.org

1,986,870

rubygems.org

1,659,127

gnome.org

1,453,826

gitee.com

1,064,802

gitlab.com

779,861

java2s.com

499,518

spring.io

419,554

cpan.org

394,675

drupal.org

348,719

codeplex.com

288,341

apache.org

219,181

clojars.org

206,125

haskell.org

128,455

eclipse.org

99,951

opensuse.org

80,581

kernel.org

78,820

launchpad.net

72,898

gnu.org

36,183

nasm.us

33,858

invent.kde.org

32,670

angularjs.org

27,721

pagure.io

23,048

maven.google.com

21,760

videolan.org

21,102

code.qt.io

15,820

nodejs.org

11,859

unity.com

10,754

centos.org

9,666

apple.com

7,499

rpmfusion.org

7,029

sourceware.org

6,681

isc.org

6,106

trustedfirmware.org

2,532

nmap.org

1,975

postgresql

1,405

gitcode.com

1,148

yoctoproject.org

1,064

mozilla.org

1,021

storage.googleapis.com

545

jquery.com

473

netfilter.org

400

vcgit.hhi.fraunhofer.de

148

gitlab.freedesktop.org

133

mercurial-scm.org

127

busybox.net

107

sudo.ws

slf4j.org

zlib.net

svn.code.sf.net

libssh.org

script.aculo.us

java.sun.com

INTRODUCING

The decentralized SBOM Ledger

Blockchain technologies provide a foundation to meet the technical and ethical challenges of establishing trust and information perpetuity. However, access to Blockchain technologies is difficult for corporations since they involve the use of cryptocurrencies.

The Software Transparency Foundation aims at creating the first decentralized SBOM ledger which connects and validates SBOMs regardless of their format. SPDX, CycloneDX and even Excel or CSV files can be interconnected and validating, enabling traceability across the supply chain tree.

Abstraction layer for Blockchain registration

Software Transparency Foundation proposes to solve the issue of Blockchain transaction fees, by providing a set of Open Source tools that allow registration of SBOM metadata, validation of declared software integrity, and traceability of preceding SBOMs.

License Compliance and Cybersecurity

President Biden’s “Executive Order on Improving the Nation’s Cybersecurity” (May 12, 2021) adds momentum to the SBOM movement by specifically requiring “providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website”.

Perhaps the biggest single challenge to supply-chain transparency and the SBOM model is the abundance of open ‘standards’ intended to reduce redundant work in the supply-chain by providing common processes and formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.

With the proposal of the decentralized SBOM Ledger, we propose to bridge this gap by enabling format-agnostic SBOM connectivity.