research lab // est. 2026

sbom.study

An advanced research discipline for the analysis, decomposition, and
cartography of software composition at the supply-chain frontier.

disciplinesupply-chain forensics
specimens14,802 manifests indexed
vectorcyclonedx · spdx · swid
statusscanning_active
02 // study portfolio

curated investigations

Each artifact is a discrete inquiry into how software is composed, attributed, and unraveled. Cursor-active research surfaces — examine from any angle.

case study /// 14

Transitive dependency cartography

Mapping the recursive lineage of a single npm package through 11 layers of transitive inheritance. The bill of materials becomes a topological landscape — peaks of common ancestry, valleys of orphaned forks.

  • npm
  • maven
  • oci-layers
  • graph-theory
artifact /// 02

CycloneDX field forensics

Microscopic readings of a single SBOM document — every component, property, and externalReference treated as a clue.

{ "bomFormat": "CycloneDX", "specVersion": "1.5" }
artifact /// 05

SPDX license entanglement

A study of conflicting license declarations across overlapping components. Where does provenance fracture?

SPDX-License-Identifier: (MIT OR Apache-2.0)
specimen /// 09

VEX exploitability triage

Vulnerability Exploitability eXchange — annotating a vulnerability manifest with affected/not_affected/under_investigation states across a four-component product.

  • vex
  • cve
  • kev
cvss: 7.4 → not_affected (component_isolated)
artifact /// 11

SWID tag archaeology

Recovering structured identification metadata from a 2014 enterprise Linux distribution archive. Tag-survival rates by ecosystem.

case study /// 22

Reproducible-build fingerprinting

Comparing nine independent rebuilds of the same upstream source — what survives the toolchain? What mutates? An empirical study of determinism across compilers, linkers, and packagers.

  • reproducibility
  • determinism
  • provenance
  • attestation
artifact /// 17

In-toto attestation grammar

Parsing the rhetoric of supply-chain attestations — predicate types, statement subjects, and the choreography of trust.

predicateType: "https://slsa.dev/provenance/v1"
03 // deep analysis

the unobservable
composition of software

A bill of materials presupposes a knowable inventory. Yet most software is assembled in flight — fetched, transpiled, statically and dynamically linked across substrates the inventory cannot see. This featured investigation maps the delta between the declared SBOM and the runtime SBOM: the phantom dependencies, the ephemeral layers, the components that exist only at the moment of execution.

We treat the SBOM not as a manifest but as a cross-section — a single plane sliced through a continuously moving body of software. The study asks: what is preserved across the cut? What is lost? 

$ sbom diff --declared sbom.cdx.json --runtime runtime.cdx.json
  scanning declared manifest ............ 412 components
  scanning runtime introspection ........ 487 components
  cross-referencing ........................ done
+ 79 components present at runtime, absent in declaration
- 4  components declared, never observed at runtime
  delta written: ./study/cross-section-14.json