This post is mostly for myself just so I don’t have to keep a lot of browser tabs open. There are many projects aimed at developing SBOM ecosystem, but no aggregation of those – as the field is being actively developed.
So here is a list of active links in the field:
- SBOM flow and field mapping by Salve Nielsen – https://github.com/CPAN-Security/security.metacpan.org/blob/main/docs/supplychain-sbom.md
- Presentation on Attestations, mentioning VSAs – https://docs.google.com/presentation/d/1feaRK72-_uE8EUNJ6GGIM0iUuvMsJqY69rj3Uhbb4-M or ssci.io/attestations-deck
- VEX practices Review – https://github.com/SBOM-Community/documents/blob/main/CISA/Reviewing_VEX_Practices/Reviewing_VEX_Practices.pdf
- BOMOps Whitepaper Draft – https://docs.google.com/document/d/1vFVbWEJmNsAbNPRAtHclC89YQlLUt6xYIvKmFGRkcQA/edit?tab=t.0
- BSI and ACN draft on G7 vision for AI SBOMs – https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_Food-for-thoughts.pdf
- SBOM for AI Use Cases document draft – https://docs.google.com/document/d/1tQlPxKo9WVyu5XdF-GgxIw9p0iwgdyYD
- Whitepaper on SBOM Generation – https://github.com/SBOM-Community/SBOM-Generation/blob/main/whitepaper/Draft-SBOM-Generation-White-Paper-Feb-25-2025.pdf
- Draft CLE specification – https://github.com/Ecma-TC54/tg3/pull/3