software bill of materials
What is your software made of?
Open the package like a quiet specimen. An SBOM names the components, versions, origins, and small obligations folded inside the thing you ship.
what is inside?
A bill of ingredients, not a wall of noise.
Hover a row and the ledger whispers what it means.
where did it come from?
Provenance is a soft line back to origin.
Registries, maintainers, build systems, and downloaded archives leave traces. The study is not suspicious by default; it is simply interested in how each part arrived.
what changed?
Versions are tracing paper for memory.
added two transitive parts
notice text clarified
registry mirror changed
what is at risk?
A vulnerability signal should be legible, not loud.
Lingonberry marks point to parts that need attention. They do not shout; they help the team ask whether a component is reachable, patched, or safely isolated.
how do we keep studying?
Make review a small habit, not a yearly panic.
Capture the bill during build, while the ingredients are still on the table.
Lay today over yesterday and notice what entered, left, or changed names.
Use the ledger as a shared language between builders, operators, and stewards.
bookmark
Software becomes calmer when it becomes readable.
Keep the SBOM close to the work. Let it be a study surface: ingredients named, origins remembered, changes noticed, and responsibility made visible.
Return to the first sheet