Bill of Materials Conservatory
origin

Where the seed arrived

Publisher, repository, build route, and provenance root labels are pinned before the component grows.

license

How the petals may be shared

License tags fold beside packages so policy reads like marginalia, not a warning siren.

integrity

Hashes pressed into roots

Checksums and attestations become engraved labels tied directly to the specimen they describe.

lifecycle

Care notes over seasons

Versions, patches, and end-of-life dates become a tending calendar for the whole dependency bed.

living wiki entry 01

Software bills of materials, mapped like a garden.

Follow packages from origin to license, from hashes to lifecycle notes. Each dependency becomes a labeled specimen with roots you can inspect.

01 / Identify the Seed

Every component starts with a name, version, and source.

An SBOM gives the first specimen label: package identity, supplier, file paths, and the ecosystem where it took root. The label is small, but it prevents a dependency from becoming folklore.

purlpkg:npm/garden-parser@4.8.2
supplierGreenhouse Maintainers
originregistry + signed build
identity card
02 / Trace the Vine

Dependencies are trails, not piles.

Direct and transitive relationships curve through the SBOM like stems across a trellis. Walking the trail shows which package introduced what, where a version branches, and which roots support the canopy.

runtime vine

app → garden-parser → yaml-leaf → unicode-soil

03 / Read the Petals

Metadata is the bloom around the package.

Licenses, hashes, vulnerability notes, and attestations are not scattered appendices. They are petals around the same specimen, giving maintainers the context to decide with care.

SPDX
Apache-2.0
Hash
sha256:7f4…
Attestation
signed
Advisory
watched
04 / Tend the Garden

An SBOM stays useful when it is tended.

Refresh inventories as builds change, acknowledge amber beetles without panic, and keep provenance roots visible. The wiki becomes a living care guide for software supply chains.

sproutgenerate at buildcyclonedx / spdx
prunereview version driftmonthly
waterrenew attestationsrelease day

Pressed-flower glossary

SBOM
A structured inventory of software components and their relationships.
Provenance
The source and build history that explains where a component came from.
Attestation
A signed statement that confirms how an artifact was produced.