Midnight municipal archive

sbom.wiki

A public atlas where every software component becomes a luminous building, every version becomes an address, and every dependency route is filed in civic blue glass.

pkg:openssl

spdx:MIT

hash:8f34

v1.4.2

origin:repo

known

component.name: luminous-ledger
supplier: archive-district
license: Apache-2.0
checksum: sha256-bfeaff
status: traceable

01

The Component Avenues

A component becomes a building.

Dependency stacks rise as translucent cuboids, with illuminated windows for package names, versions, hashes, suppliers, and relationships. The city plan turns an inventory into a navigable street grid.

avenue://runtimenode-fetch · 3.3.2

bridge://transitivewhatwg-url · known

tower://cryptoopenssl · provenance stamped

SPDX

PURL

CPE

02

The License Arcade

A license becomes a marquee.

Rights, notices, obligations, and exceptions hang like brass-framed arcade signs. Each record is a civic placard, readable at street level and traceable back to source.

MITpermissive · notice filed

Apache-2.0patent grant · indexed

BSD-3redistribution · known

KNOWNTRACEABLEUPDATED

SPDX-License-Identifier: Apache-2.0

Notice: archived · attribution: intact · exception: none

Recorded in the porcelain-blue registry at 02: license arcade.

03

The Vulnerability Fog

A vulnerability becomes weather.

Risk drifts through alleys as coral mist until searchlights connect advisories to affected components. The archive does not panic; it classifies, illuminates, and updates.

CVE-weather / swept by dependency searchlight / affected address marked

04

The Provenance Observatory

Provenance becomes a skyline.

From supplier to build to release, the route is projected across the observatory dome. SBOM knowledge is not a list; it is a city with memory, addresses, and civic records.

origin → build → attest → release → update

[1] source repository [2] build attestation [3] package checksum [4] registry update