Skip to main content

Tree shaking for the minimal viable SBOM.

Project description


Tree shaking for the minimal viable software bill of materials (SBOM).

License: MIT

Third party dependencies are documented in the folder third-party.

version downloads wheel supported-versions supported-implementations maintenance-status


User and developer documentation of sbom.

Bug Tracker

Any feature requests or bug reports shall go to the todos of sbom.

Primary Source repository

The main source of sbom is on a mountain in central Switzerland. We use distributed version control (git). There is no central hub. Every clone can become a new source for the benefit of all. The preferred public clones of sbom are:

  • on codeberg - a democratic community-driven, non-profit software development platform operated by Codeberg e.V.
  • at sourcehut - a collection of tools useful for software development.


Please do not submit "pull requests" (I found no way to disable that "feature" on GitHub). If you like to share small changes under the repositories license please kindly do so by sending a patchset. You can either send such a patchset per email using git send-email or if you are a sourcehut user by selecting "Prepare a patchset" on the summary page of your fork at sourcehut.




  • baseline - mandatory elements
  • consume - an SBOM
  • crypto - hashing, signing, and signature validation
  • extension - sets of elements mandatory in addition to baseline
  • fuzz - generate surrogate and poisoned SBOMs
  • merge - an SBOM with other SBOMs or additional information
  • mock - provide optimal testability
  • policy - to apply
  • produce - an SBOM
  • report - anything from produce, transform, and consume
  • rule - executing policies
  • transform - one SBOM into another SBOM

Safety, Security, and Data Protection Considerations

The current implementation SHALL only digest trustworthy data.

Schema validation of JSON and XML formats requires specific measures to
minimize vulnerabilities.

For example: The python xml parser implementation (etree) in
use is presumably vulnerable against some attacks like billion laughs and quadratic blowup.

Plans are to move towards a safer implementation like defusedxml or any other hardened implementation.

The situation is similar for the JSON formats.

In summary and repeating the obvious:

The current implementation SHALL only digest trustworthy data.

Note: The default branch is default.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sbom-2023.10.7.tar.gz (9.4 kB view hashes)

Uploaded Source

Built Distribution

sbom-2023.10.7-py3-none-any.whl (6.8 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page