observed

after-hours institute · software supply chain anatomy

sbom.study

A lamplit lesson in reading the bill of materials beneath a release: component by component, thread by thread, clue by clue.

artifact
release.tar sha256: 7f2e9c91b4a0
Component Ledger pkg:npm/source-map@0.7.4 declared
Provenance Map git+ssh://build/attestation observed
License Margins SPDX: Apache-2.0 OR MIT declared
Vulnerability Pinboard CVE-2026-0142 unknown
Release Ledger v4.18.2 → v4.18.3 resolved
Plate I

Component Ledger

root application

pkg:oci/registry/sbom.study/app@4.18.2

Start with what is shipped, then separate direct dependencies from the quiet transitive family beneath them.

pkg:npm/parser-core@2.9.1?integrity=sha512

Hover a component: the vellum lifts, the purl tag appears, and teal threads mark descendants that would otherwise remain hidden in the crate.

Plate II

Provenance Map

builder attested
SLSA provenance links source commit, build worker, and digest into one inspectable thread.
declared
Plate III

License Margins

SPDXRef-Package-parser-core

Apache-2.0

Notice retained. Patent grant recorded. Obligation is not a blocker; it is a margin note that must travel with the release.

  1. MIT license text bundled
  2. dual expression reviewed
  3. generated code excluded
  4. notice file folded into dossier
Plate IV

Vulnerability Pinboard

CVE spores glow only when context says they matter.
patch needle ready
Plate V

Release Ledger

SBOM dossier

bomFormat: CycloneDX · specVersion: 1.6
  • components reconciled with purl addresses
  • provenance thread attached to source digest
  • licenses folded into release notes
  • vulnerability spores marked resolved or unknown
understood