A joint research effort between Andreas Göransson (QCM) and Lars Bendix (sneSCM.org / Lund University).

When the hype and buzz about Software Bill of Materials (SBoM) started around 2020, we were very excited as SBoM is an important part of Software Configuration Management. When we looked further into the "hype" we became very disappointed. It seemed to have been "invented" in the 2020s, to be a simple "list of ingredients" and with the only purpose to "scan for vulnerabilities".

The problem was that we knew that there was much more to the story.

So we launched into an effort to document that the concept of an SBoM is more than 40 years old and can be used for a whole lot more than just vulnerability scan. We reviewed all the relevant literature we could get hold of and interviewed 16 practitioners of SBoM - ranging from programmers to managers (with a certain bias of SCM people).

We wanted to:

• document the long story of the concept of an SBoM
• collect an investory of the rich variety of use cases for SBoMs
• uncover what general considerations there are for how to work with SBoMs

Resources:

• Where to find our white paper: "A comprehensive view of Software Bill of Materials"
• List of relevant SBoM resources
• ...

Present activities:

• A number of CMCMs on specific SBoM topics (mainly from chapter 4 of our white paper), in preparation.

Past activities:

• Presenting "Software Bill of Materials from a Software Configuration Management Perspective at Config Management Camp, Ghent, Belgium, February 5-6, 2024 (slides).
• Presenting "Revisiting Software Bill of Materials (SBoM)" at DevOps Heroes, Parma, Italy, October 21, 2023 (slides).
• Release party for our white paper, June 1, 2023 (slides).
• Presenting "The full story of Software Bill of Materials" at Incontro DevOps Italia, March 10, 2023 (slides).
• Presenting "The full story of Software Bill of Materials" at Meetup DevOpsMalmö, March 7, 2023 (video).
• CMCM on "What is the use of a Software-Bill-of-Materials?", video conferencing, May 24, 2022.
• Open space on "What is the use of a Software Bill-of-Materials?" at the Italian SCM summit video conferencing, May 6, 2022.
• CMCM on "If Software BoM is the solution, what was then the problem?", video conferencing, March 30, 2022.
• Micro-tutorial at the Scandinavian SCM day, video conferencing, May 20, 2021.
• CMCM on "Bill of Materials in a Software Context", video conferencing, March 22, 2021.
• CMCM on "Bill of Materials in a Software Context", video conferencing, March 10, 2021.

If you are interested in being a part of the project, send an email to bendix@cs.lth.se

Criticism may not be agreeable, but it is necessary. It fulfils the same function as pain in the human body. It calls attention to an unhealthy state of things.
Winston Churchill