Software Bill of Materials

A Contemplative Archive of Dependencies,
Licenses & Vulnerabilities

Est. MMXXVI sbom.study

Catalogued with care
in the manner of
the old herbaria

What is an SBOM?

Definition

A Software Bill of Materials is a formal, machine-readable inventory of all components, libraries, and modules that comprise a given piece of software — a nested ledger of provenance.

§ I

Purpose

Like a botanist pressing specimens for future study, an SBOM preserves the genealogy of code — enabling vulnerability tracking, license compliance, and supply chain transparency.

§ II

Formats

SPDX, CycloneDX, and SWID tags form the primary taxonomic systems — each a different notation for cataloguing the same underlying dependency relationships.

§ III

cf. Executive Order 14028
(May 2021)

The Dependency Tree

application lib-auth lib-crypto lib-http oauth2 jwt openssl rand tls dns libz libc

Every branch a dependency; every leaf a potential vulnerability.

Transitive dependencies
often exceed direct
dependencies by 10×

The Vulnerability Ledger

CVE-2024-0001 Critical openssl@3.0.1 Unpatched
CVE-2024-0042 High lib-auth@2.1.0 Patched
CVE-2023-8821 Medium dns@1.4.2 Mitigated
CVE-2023-5590 Low jwt@0.9.8 Accepted

Each entry a pressed specimen of risk — catalogued, cross-referenced, awaiting remediation.

The average application
inherits 317 transitive
dependencies

Colophon

This archive was assembled in the spirit of careful scholarship — a reminder that every line of code we ship carries with it a lineage of dependencies, each with its own story of creation, maintenance, and eventual decay.

To study one's SBOM is to know one's software as the botanist knows the forest: not merely by the canopy, but by the roots, the mycelia, the invisible networks that sustain and sometimes poison the whole.

sbom.study