Research

Software Bill of Materials


A joint research effort between Andreas Göransson (QCM) and Lars Bendix (sneSCM.org / Lund University).

When the hype and buzz about Software Bill of Materials (SBoM) started around 2020, we were very excited as SBoM is an important part of Software Configuration Management. When we looked further into the "hype" we became very disappointed. It seemed to have been "invented" in the 2020s, to be a simple "list of ingredients" and with the only purpose to "scan for vulnerabilities".

The problem was that we knew that there was much more to the story.

So we launched into an effort to document that the concept of an SBoM is more than 40 years old and can be used for a whole lot more than just vulnerability scan. We reviewed all the relevant literature we could get hold of and interviewed 16 practitioners of SBoM - ranging from programmers to managers (with a certain bias of SCM people).

We wanted to:

Resources:

Present activities:

Past activities:

If you are interested in being a part of the project, send an email to bendix@cs.lth.se

Criticism may not be agreeable, but it is necessary. It fulfils the same function as pain in the human body. It calls attention to an unhealthy state of things.
Winston Churchill


Maintained by bendix@cs.lth.se