sbom.study

the visual guide to software supply chains

A Software Bill of Materials is the ingredient label for your software. It lists every component, library, and dependency that makes your application run -- like a recipe card for digital products. Understanding your SBOM is the first step toward software supply chain transparency.

The Dependency Web

Every modern application is a web of interconnected packages. A single project can have hundreds of direct and transitive dependencies, each a thread in a complex tapestry of shared code.

root-app express react lodash axios webpack body-parser qs react-dom has follow-redirects chalk tapable

By the Numbers

97% of modern codebases contain open source
1,200+ average transitive dependencies per project
84% of codebases have at least one known vulnerability

Key Concepts

direct dependency

A package your project explicitly imports and uses.

transitive dependency

A dependency of your dependency -- the hidden layers.

dependency tree

The full graph of all packages your software relies on.

Reading the Labels

Understanding open source licenses through geometry

MIT License

permissive

The most popular open source license. Do almost anything you want with the code -- just include the original copyright notice. Minimal restrictions, maximum freedom.

Permission is hereby granted, free of charge...

Apache 2.0

permissive

Similar to MIT but with an explicit patent grant. Provides more legal clarity for enterprise use. Requires preservation of copyright and license notices.

Subject to the terms and conditions...

GPL v3

copyleft

The strong copyleft license. Any derivative work must also be released under GPL. Ensures software freedom propagates through the dependency chain.

You must cause any work that you distribute...

BSD 3-Clause

permissive

A permissive license similar to MIT but with a non-endorsement clause. You cannot use the project's name to promote derived products without permission.

Redistribution and use in source and binary forms...

Finding the Cracks

Vulnerability scanning in the dependency landscape

Vulnerability Timeline

2021 2022 2023 2024 CVE-2021-44228 LOG4SHELL CVE-2022-0778 OPENSSL CVE-2023-44487 HTTP/2 RAPID RESET CVE-2024-3094 XZ UTILS

Severity Scale

CRITICAL Remote code execution, no authentication needed
HIGH Significant impact, exploit available
MEDIUM Limited impact, requires specific conditions
LOW Minor impact, difficult to exploit

Why It Matters

A single vulnerable transitive dependency can compromise an entire application. SBOMs make it possible to quickly identify which of your projects are affected when a new CVE is disclosed.

log4j-core @2.14.1
→ CRITICAL: CVE-2021-44228
→ FIX: upgrade to 2.17.1+

The Transparent Future

When every component is understood, the whole becomes clear

The Complete Picture

When every dependency is known, every license is understood, and every vulnerability is tracked -- the supply chain transforms from a mystery into a map.

SBOM Formats

SPDX

The Linux Foundation standard. ISO/IEC 5962:2021. Comprehensive and widely adopted across industries.

CycloneDX

OWASP standard optimized for security use cases. Rich vulnerability and service modeling.

SWID Tags

ISO/IEC 19770-2. XML-based software identification standard used in enterprise asset management.

Getting Started

# Generate an SBOM with Syft
syft packages dir:./myproject

# Scan for vulnerabilities
grype sbom:./sbom.json

# Verify license compliance
ort analyze -i ./myproject