{
  "package": "axios",
  "version": "1.6.7",
  "license": "MIT",
  "deps": 4
}

sbom.day

A daily surrealist gallery of software bills of materials.

Issue No. 001 Tutorial Volume I Hexagonal Edition

scroll to disclose

Volume I — Components

The Honeycomb of Concepts

Each cell holds a foundational idea of the SBOM discipline. Hover, scroll, and the hexagons disclose their tutorial layer.

Dependencies

Direct and transitive packages your software pulls in — the visible and the inherited.

npm ls --all

Licenses

MIT. Apache-2.0. GPL-3.0. The legal mosaic of obligations stitched into your product.

license-checker

Vulnerabilities

Known CVEs against the ingredients. The melting clocks of your supply chain.

osv-scanner --sbom

Provenance

Who built this artifact, where, and from what source — the cartography of origin.

slsa.dev/provenance

Formats

SPDX, CycloneDX, SWID. Three dialects describing the same ingredient list.

cyclonedx-bom

Signing

Cryptographic seal binding an SBOM to an artifact. Wax for the digital age.

cosign attest

Compliance

EO 14028, CRA, NTIA minimum elements. The retro-future bureaucracy of trust.

compliance.report

Distribution

Where SBOMs live alongside artifacts: registries, attestations, transparency logs.

oras push --artifact

Volume II — Recursion

The Dependency Chain, Receding

A package depends on a package depends on a package. We render the descent as it feels — like falling forward into the vanishing point.

my-app 1.0.0

express 4.19.2

body-parser 1.20.2

qs 6.11.0

side-channel 1.0.4

call-bind 1.0.7

Today's Lesson

How to read an SBOM in eight breaths

i.
Identify the format.

Open the file. The first key is your dialect: spdxVersion, bomFormat, or a SWID tag. Each will speak in slightly different verbs.
ii.
Locate the subject.

Find the artifact this document describes — the document.name in SPDX or metadata.component in CycloneDX. This is the painting; the rest is its ingredients.
iii.
Walk the components.

Each entry is a hexagonal cell. Note the name, version, and unique identifier (PURL or CPE). These three letters form a constellation that any tool can recognize.
iv.
Trace relationships.

Components link to other components via DEPENDS_ON or dependsOn. Draw the graph; the shape will tell you about your blast radius.
v.
Read every license.

An MIT hex next to a GPL-3.0 hex is not a contradiction — it is a contract. Note the obligations.
vi.
Cross-check vulnerabilities.

Run the SBOM through an OSV or CVE matcher. Hexagons that flicker amber are your priorities.
vii.
Verify the seal.

Check the cosign or in-toto attestation. An unsigned SBOM is a poem without an author.
viii.
Archive with provenance.

Store the SBOM beside the artifact, with a build receipt. Tomorrow's auditor will thank you.

sbom.day

Dependencies

Licenses

Vulnerabilities

Provenance

Formats

Signing

Compliance

Distribution

Identify the format.

Locate the subject.

Walk the components.

Trace relationships.

Read every license.

Cross-check vulnerabilities.

Verify the seal.

Archive with provenance.