"name": "app-core",
"version": "2.1.0",
"license": "MIT"

dependencies: {
  "lodash": "^4.17.21",
  "express": "^4.18.2"
}

CVE-2024-3094
severity: CRITICAL
package: xz-utils

sbom.day

A Surrealist Gallery of Software Composition

The Component Registry

Every piece of software is an assembly of parts. Explore the taxonomy of a modern SBOM.

Dependencies

The packages your software needs to function. Direct and transitive, each one a link in the chain.

"dependencies": { ... }

Licenses

MIT, Apache-2.0, GPL-3.0 -- the legal DNA embedded in every component you ship.

SPDX-License-Identifier

Vulnerabilities

CVEs lurking in your dependency tree. Critical, high, medium -- each a door left ajar.

CVE-2024-XXXXX

Compliance

NTIA minimum elements, executive orders, and the regulatory landscape shaping software transparency.

ntia-conformance: true

Provenance

Where did this code come from? Build attestations, source repositories, and the chain of custody.

supplier: "verified"

Formats

SPDX, CycloneDX, SWID -- the competing standards vying to define how we describe software.

format: "CycloneDX/1.5"

The Dependency Chain

Follow the thread. Every application is a tapestry of interconnected components stretching into impossible depth.

your-app 1.0.0

framework 5.2.1

database 3.8.0

auth-lib 2.4.3

http-core 1.1.0

sql-parser 0.9.7

crypto-old 1.0.2 CVE-2024-1234

jwt-decode 3.1.2

buffer 6.0.3

events 3.3.0

util 0.12.5

stream 0.0.2

assert 2.1.0

... 847 more transitive dependencies

SPDX-2.3
DocumentName: your-app
DocumentNamespace: https://...

bomFormat: "CycloneDX"
specVersion: "1.5"
components: [...]

Today's Exhibition

25 MAR

The Phantom Dependency

A meditation on transitive dependencies -- the packages you never chose but ship in every build. They arrive unbidden, nested twelve layers deep, carrying licenses you've never read and vulnerabilities you'll discover too late.

require("your-app")

require("framework")

require("helper-util")

require("left-pad")

require("???")