L0
DIRECT
Declared Dependencies
Packages your manifest names by hand. Visible, version-pinned, owner-known. The smallest set, and the only one most teams ever read.
00
FIELD NOTES — SHEET 00
_
A working archive for software bill of materials — the dependency graph rendered as architecture, audited under shadowless light, drawn to engineering scale.
- SCOPE
- SUPPLY-CHAIN GRAPHS
- METHOD
- ISOMETRIC PROJECTION
- OUTPUT
- LEGIBLE STRUCTURE
- STATUS
- OPEN INDEX
A · ROOT NODE · 60×60 IU
B · TRANSITIVE EDGE
01
SHEET 01
LAYERS OF THE STACK
Each layer is a horizon line in the dependency mountain. Scroll deeper; the graph grows denser, more transitive, more silent.
L1
TRANSITIVE
Transitive Closure
Dependencies of dependencies. The first surprise: typically 8–40× the declared set. Most CVEs live here, not at the surface.
L2
RUNTIME
Runtime Surface
Shared libraries, system ABIs, container base images. The substrate the graph stands on; rarely audited, almost always shipped.
L3
BUILD-TIME
Build & Toolchain
Compilers, linters, code generators, CI plugins. They never ship in the binary, yet they shaped every byte that did. SBOM coverage here is famously thin.
02
SHEET 02
DEPENDENCY EXPLORER
Hover any block to highlight its lineage. Upstream parents glow cyan; downstream dependents flag burnt orange. Click to lift the lid and read the metadata.
03
SHEET 03
AUDIT & PROVENANCE
A bill of materials is only useful when it can be re-walked. These are the questions an audit answers, ordered by the depth they require.
-
Q.01
RESOLVED
Which component shipped, exactly?
Name, version, distribution channel, content hash. Without an answer, every later question is rhetorical.
-
Q.02
RESOLVED
Who built it, and from what source?
Provenance attestation, signed by the builder. The chain of custody from commit to artifact, intact.
-
Q.03
PARTIAL
Is the source itself in the graph?
The toolchain must be in the bill too. A signed binary built by an unaudited compiler is a signed mystery.
-
Q.04
PARTIAL
What changes when one node is replaced?
The blast radius of a single transitive bump. SBOMs that cannot answer this are catalogues, not maps.
-
Q.05
FLAGGED
Where does the graph end?
Hardware microcode, vendor firmware, signing root. The tail of the chain that everyone agrees to stop drawing.
04
SHEET 04
FIELD MEASUREMENTS
Numbers from a working SBOM of a mid-sized service mesh. Drawn small, on purpose; the graph is the figure, not the chart.
DEPENDENCY DEPTH
07 LAYERS
P95 path length from declared root to leaf. Median is 4.
LICENSE MIX
11 FAMILIES
- MIT · 54%
- APACHE-2 · 27%
- BSD · 11%
- GPL/UNK · 8%
VULN POSTURE
04 OPEN
PROVENANCE
82% SIGNED
82%
Components shipping with SLSA-3 attestations or higher.
05
SHEET 05
RESEARCH ARCHIVE
Working notes, citations, related sheets. The bibliography of a graph is half the graph.
CycloneDX 1.6 — Component Schema
Field-level shape of a modern SBOM document, including services, vulnerabilities, and pedigree.
Open sheet →SPDX 3.0 — Relationships
A taxonomy of edges between components. The grammar of how dependencies relate, beyond the simple parent-child arrow.
Open sheet →SLSA Levels 1–4
A laddered framework for build integrity. Each rung trades convenience for verifiability; we draw the rungs at scale.
Open sheet →in-toto Attestations
Signed statements about steps in a build. Each attestation a small, witnessed move; the chain is the proof.
Open sheet →VEX — Exploitability
Which CVEs in the SBOM are actually reachable in this configuration. The footnote that turns a flag into a verdict.
Open sheet →EO 14028 — Federal SBOM Mandate
The 2021 executive order that made the bill of materials a procurement requirement, not a research curiosity.
Open sheet →