The Collection

I

What is an SBOM?

A Software Bill of Materials is a formal, machine-readable inventory of software components and dependencies. It maps the supply chain of code, revealing the hidden architecture beneath every application.

Foundation
II

SPDX Format

The Software Package Data Exchange standard provides a common language for communicating component information. Adopted by ISO/IEC as the international standard for SBOMs.

Standards
III

CycloneDX

An OWASP-backed lightweight SBOM standard designed for security contexts. Purpose-built for vulnerability identification and license compliance analysis.

Standards
IV

Supply Chain Attacks

From SolarWinds to Log4Shell, modern attacks exploit the invisible web of dependencies. SBOMs illuminate these hidden connections, transforming opacity into transparency.

The 2021 Executive Order on Improving the Nation's Cybersecurity mandated SBOM adoption for federal software procurement, marking a paradigm shift in software supply chain security.

Security
V

Dependency Graphs

Visualizing transitive dependencies reveals the fractal complexity of modern software. A single package may pull in hundreds of unseen components.

Analysis
VI

License Compliance

SBOMs enable automated license detection across the full dependency tree. From MIT to GPL, every obligation is catalogued and tracked.

Legal
VII

Vulnerability Management

Cross-referencing SBOMs with vulnerability databases like the NVD transforms reactive security into proactive defense. When Log4Shell struck, organizations with SBOMs responded in hours, not weeks.

Security
VIII

SBOM Generation

Tools like Syft, Trivy, and SPDX-sbom-generator extract component inventories from source code, container images, and binary artifacts.

Tooling
IX

NTIA Minimum Elements

The National Telecommunications and Information Administration defines the baseline: supplier name, component name, version, unique identifiers, dependency relationships, author, and timestamp.

Policy
X

The Future of SBOMs

From static inventories to living documents -- continuous SBOM generation in CI/CD pipelines, AI-powered analysis, and cross-organizational sharing protocols.

Vision

About This Exhibition

sbom.study is a curated exploration of Software Bill of Materials -- the practice, the standards, and the philosophy of software transparency. In an era of invisible dependencies and opaque supply chains, understanding what composes your software is no longer optional. It is an act of intellectual rigor.

This exhibition presents SBOM knowledge through the lens of anti-design: deliberately breaking conventional web aesthetics to mirror the way SBOMs break open the black box of software composition.

Resources & References

§

SPDX Specification

The ISO/IEC 5962:2021 standard for software package data exchange.

CycloneDX Standard

OWASP's lightweight SBOM standard for security use cases.

NTIA SBOM Resources

Federal guidance on minimum elements and sharing practices.

EO 14028

Executive Order on Improving the Nation's Cybersecurity (2021).