sbom.study

A public wall for tracing packages, hashes, licenses, maintainers, and the roots beneath every artifact.

KNOW THE ROOTS

OBSERVED

Inventory is not a spreadsheet. It is a provenance specimen, pinned while the ink is still drying.

dependency herbarium

Every component becomes a specimen with a label tied to its stem.

leaf-parser

Maintainer, version, checksum, and license pinned together before the artifact leaves the greenhouse.

SIGNEDv4.7.2

ring-compiler

Release rings expose when a build was cut, rebuilt, patched, and preserved.

REBUILThash: 3d0c

seed-hash

Seed pods carry digest fragments so future inspectors can verify the same living code.

TRACEMIT

TRACE

source

Origin is a place, not a rumor.

Repository, commit, signer, and declared intent are gathered before the build begins.

build

The process leaves rings.

Tools, environments, and generated artifacts are annotated like cuts through a trunk.

artifact

The delivered bundle carries its roots.

The SBOM connects what shipped to what was observed, signed, and preserved.

risk greenhouse

Unknown components grow fastest in the dark.

Vulnerable versions, missing maintainers, unverifiable hashes, and absent licenses are marked with rust halos so the living inventory can be cut back before it climbs the wall.

UNKNOWN

seal fractured

missing hashdigest not preserved
invasive versionCVE branch exceeds label
license fogleaf collected without terms

study ledger

Principles for a supply chain that can be read in public.

Inventory

Collect every component as evidence, not decoration.

Verify

Bind source, build, hash, and signer until the chain can be retraced.

Preserve

Keep the label with the specimen after the release leaves the shelf.

Disclose

Mark uncertainty plainly so repair can begin in daylight.

VERIFY