top of page

Solving Software Supply Chain Transparency

Open Source tooling for generating, notarizing, linking and validating Software Bills of Materials (SBOM)

What is an SBOM?

What is an SBOM?

A complete, formally structured list of components, libraries, and modules that are required to build a given piece of software and the supply chain relationships between them. Source: NTIA

​

There are machine-readable, standard formats for SBOMs, like SPDX and CycloneDX. However, an SBOM could be just a spreadsheet or a text document.

​

The supply chain relationships between SBOMs were, up until now, missing. The SBOM ledger leverages software and metadata integrity and authenticity, allowing users to verify that the source of the SBOM data was not tampered with.

Generate your SBOM now

Using our public API you can generate your own SBOM for free, safely and anonymously. Just download a CLI or the Audit Workbench (                          ) and compare your code against the millions of OSS components in our knowledgebase to identify even small snippets.

Download the SBOM Workbench for Windows
Download the SBOM Workbench for Apple Silicon Macs
Download the SBOM Workbench for Intel Macs
Download the SBOM Workbench for Linux
Download the SBOM Workbench source code from GitHub

Repository

URLs indexed

github.com

98,936,439

npmjs.org

52,742,887

maven.org

35,627,409

debian.org

29,647,697

stackoverflow.com

28,793,907

pythonhosted.org

18,160,233

fedoraproject.org

12,582,055

nuget.org

11,560,465

rpmfind.net

9,070,167

golang.org

5,929,274

sourceforge.net

2,915,207

googlesource.com

2,699,297

bitbucket.org

2,018,522

rubygems.org

1,702,078

gnome.org

1,454,677

gitee.com

1,099,734

gitlab.com

812,072

repository.cloudera.com/service/rest/repository/browse/public

526,392

java2s.com

499,518

spring.io

419,554

cpan.org

409,100

maven.wso2.org/nexus/content/repositories/public

355,150

drupal.org

348,719

codeplex.com

288,341

clojars.org

256,387

repository.jboss.org/nexus/service/rest/repository/browse/releases

252,764

apache.org

228,315

haskell.org

141,616

gitcode.com

106,906

eclipse.org

104,236

codeberg.org

99,904

maven.wso2.org/nexus/content/repositories/releases

81,201

opensuse.org

80,581

kernel.org

78,868

packages.jetbrains.team/maven/p/ktor/eap

75,864

launchpad.net

73,454

maven.artifacts.atlassian.com

63,626

repository.jboss.org/nexus/service/rest/repository/browse/ea

45,769

invent.kde.org

42,942

maven.google.com

38,260

gnu.org

37,415

maven.xwiki.org/releases

36,823

nasm.us

33,858

angularjs.org

27,721

pagure.io

23,154

videolan.org

21,102

code.qt.io

16,589

nexus.bedatadriven.com/content/groups/public

13,607

artifacts.alfresco.com/nexus/service/rest/repository/browse/public

12,201

nodejs.org

11,859

unity.com

10,754

centos.org

9,666

apple.com

7,499

maven-repository.openspaces.org

7,499

rpmfusion.org

7,029

sourceware.org

6,697

isc.org

6,106

trustedfirmware.org

2,884

nmap.org

1,975

yoctoproject.org

1,417

postgresql

1,405

mozilla.org

1,021

storage.googleapis.com

905

jquery.com

473

netfilter.org

402

busybox.net

151

vcgit.hhi.fraunhofer.de

148

mercurial-scm.org

147

gitlab.freedesktop.org

133

sudo.ws

98

slf4j.org

88

zlib.net

71

libssh.org

54

svn.code.sf.net

44

script.aculo.us

30

java.sun.com

9

INTRODUCING

The decentralized SBOM Ledger

Blockchain technologies provide a foundation to meet the technical and ethical challenges of establishing trust and information perpetuity. However, access to Blockchain technologies is difficult for corporations since they involve the use of cryptocurrencies.

​

The Software Transparency Foundation aims at creating the first decentralized SBOM ledger which connects and validates SBOMs regardless of their format. SPDX, CycloneDX and even Excel or CSV files can be interconnected and validating, enabling traceability across the supply chain tree.

Abstraction layer for Blockchain registration

Software Transparency Foundation proposes to solve the issue of Blockchain transaction fees, by providing a set of Open Source tools that allow registration of SBOM metadata, validation of declared software integrity, and traceability of preceding SBOMs.

License Compliance and Cybersecurity

President Biden’s “Executive Order on Improving the Nation’s Cybersecurity” (May 12, 2021) adds momentum to the SBOM movement by specifically requiring “providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website”.

​

Perhaps the biggest single challenge to supply-chain transparency and the SBOM model is the abundance of open ‘standards’ intended to reduce redundant work in the supply-chain by providing common processes and formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.

​

With the proposal of the decentralized SBOM Ledger, we propose to bridge this gap by enabling format-agnostic SBOM connectivity.

The first Open Source SBOM ledger

Group 325.png

Generate SBOM

Open Source tooling to generate a standardized Software Bill of Materials

Learn more
Group 319.png

Notarize SBOM

Tooling to notarize your Software Bill of Materials for external distribution

Learn more
Group 324.png

Relate SBOM

Open Source tooling to generate a standardized Software Bill of Materials

Learn more
Group 323.png

Validate SBOM

Open Source tooling to generate a standardized Software Bill of Materials

Learn more

Contact

Fundación para la Transparencia del Software
Calle Prim 15, 4 derecha
28004 Madrid

Find Software Transparency Foundation on LinkedIn

Terms of Service

© Copyright 2018-2024 / Software Transparency Foundation / All Rights Reserved

bottom of page