sbom.wiki

Every build has ingredients. This wiki keeps the labels legible.

openssl@3.2.1 zlib@1.3 left-pad@1.3.0 libxml2@2.12

checksum: 9f5a · 44dc · ae10 · c7b2 license: Apache-2.0 leaf attached thread: package → source → maintainer → build

open the manifest

CUSTOMS HOUSE

The Crate Manifest

Packages arrive as cargo. Each crate keeps a receipt, a maker’s stamp, and a route across registries.

name nginx-ingress-controller

origin git tag signed at pier 17

maker release bot with human seal

name cyclonedx-core-java

route source → build → registry

seal source known, checksum matched

An SBOM is not a verdict. It is a legible bill: enough material truth to inspect, compare, and ask better questions.

dependency cascade / pull each drawer

root recipe: frontend-app@8.4.0 asks for router, renderer, parser, and pantry-config.

frontend-apprendererdom-patch

http transport opens into compression, redirect policy, certificate bundle, and url spoon.

gzipca-bundlefetchcookie

crypto packet carries a vermilion assay mark: check update note before shipping.

review

PRESSED TERMS

Licenses become pressed leaves: delicate, colored, and attached to components by string. Compare the leaf before mixing the ingredient.

permissive mint leaf

patent-veined lavender

reciprocal red edge

SBOM.WIKI LEDGER

Wiki edits collect like translucent library slips. Nothing vanishes; every ingredient gets a history.

2026-05-03 · checksum frieze corrected after registry reread.

2026-04-27 · maintainer stamp linked to source crate.

2026-04-12 · license leaf moved from unknown to Apache-2.0.

software bill of materials · legible ingredients · shared cabinet