sbom.study

Advanced Research in Software Bill of Materials

Research Portfolio

Featured Study

Dependency Graph Analysis

Mapping transitive dependency chains across enterprise software ecosystems. Identifying critical nodes and vulnerability propagation vectors through graph-theoretic approaches.

pkg:npm/@scope/core@2.4.1
Methodology

SPDX vs CycloneDX

Comparative format analysis of leading SBOM standards. Evaluating schema expressiveness and tool ecosystem maturity.

format: SPDX-2.3
Case Study

Supply Chain Forensics

Post-incident analysis of dependency confusion attacks via SBOM artifact provenance verification.

vuln:CVE-2026-XXXX
Infrastructure

Automated Generation Pipelines

CI/CD integration patterns for continuous SBOM generation. Build-time vs runtime artifact collection strategies across polyglot repositories.

pipeline: build → scan → attest
Analysis

License Compliance Matrix

Automated license obligation mapping through SBOM-derived component inventories. Conflict detection at scale.

license: Apache-2.0 AND MIT
Research

VEX Correlation Engine

Linking Vulnerability Exploitability eXchange documents to SBOM component entries for contextual risk scoring.

vex:status:not_affected
Deep Analysis

Transitive Dependency Intelligence

The frontier of SBOM research lies in understanding the emergent properties of transitive dependency graphs. Our lab investigates how software composition creates complex networks where a single deeply-nested component can affect thousands of downstream consumers. Through graph analysis, machine learning, and novel visualization techniques, we map these invisible architectures that underpin modern software supply chains.

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "components": [
    {
      "type": "library",
      "name": "core-runtime",
      "version": "3.8.2",
      "purl": "pkg:npm/core-runtime@3.8.2",
      "evidence": {
        "identity": { "confidence": 0.95 }
      }
    }
  ],
  "dependencies": [
    { "ref": "core-runtime@3.8.2", "dependsOn": ["util@1.2.0", "crypto-lib@4.1.0"] }
  ]
}