-
Notifications
You must be signed in to change notification settings - Fork 82
Add BOMHort sandbox submission #627
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
mfahlandt
wants to merge
1
commit into
ossf:main
Choose a base branch
from
mfahlandt:main
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+91
−0
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
90 changes: 90 additions & 0 deletions
90
process/project-lifecycle-documents/BOMHort_sandbox_stage.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| # Application for BOMHort at Sandbox Stage | ||
|
|
||
| > **Note:** This project was formerly known as SeeBOM. It has been renamed to BOMHort to avoid confusion with BOM-type naming conventions (CBOM, XBOM, etc.) in the supply chain security ecosystem. The project mission, codebase, and team remain unchanged. | ||
|
|
||
| ## Application for creating a new project at Sandbox stage | ||
|
|
||
| ### List of project maintainers | ||
| The project has 2 maintainers across 1 organizations: | ||
|
|
||
| * Mario Fahlandt, Kubermatic, @mfahlandt | ||
| * Koray Oksay, Kubermatic, @koksay | ||
|
|
||
|
|
||
| ### Sponsor | ||
|
|
||
| Supply Chain Integrity Working Group — BOMHort (formerly known as SeeBOM) was presented to the WG on June 3, 2026 and received their endorsement as a sandbox project sponsor. The project commits to providing quarterly updates on progress to the Supply Chain Integrity WG. | ||
|
|
||
| * [Supply Chain Integrity WG](https://github.com/ossf/wg-supply-chain-integrity) | ||
|
|
||
| ### Mission of the project | ||
|
|
||
| BOMHort is a standalone, Kubernetes-native SBOM visualization and governance platform. It ingests SPDX and CycloneDX SBOMs from S3-compatible storage, detects vulnerabilities via the OSV API, enforces license compliance policies, and applies VEX statements — all presented through an interactive dashboard with analytics. | ||
|
|
||
| BOMHort addresses an unfulfilled need in the supply chain security ecosystem: the ability to **consume, visualize, and govern** large volumes of SBOMs at scale. While tools exist to generate SBOMs (Syft, Trivy) and to verify their integrity (SBOMit), there is no open source platform focused on operationalizing SBOM consumption — making thousands of SBOMs searchable, surfacing actionable vulnerability and license compliance insights, and enabling VEX-driven suppression of false positives at enterprise scale. | ||
|
|
||
| Specific goals include: | ||
|
|
||
| * Ingest and normalize SBOMs in both SPDX and CycloneDX formats from S3-compatible storage | ||
| * Provide interactive visualization and search across large SBOM inventories | ||
| * Detect known vulnerabilities by querying the OSV API against SBOM components | ||
| * Enforce configurable license compliance policies with pass/fail governance decisions | ||
| * Apply OpenVEX statements for vulnerability suppression and false positive management | ||
| * Deliver ClickHouse-powered analytics for trends, dependency graphs, and compliance reporting | ||
| * Deploy natively on Kubernetes via Helm charts with production-grade observability | ||
|
|
||
| BOMHort complements existing OpenSSF projects: | ||
|
|
||
| * Integrates [protobom](https://github.com/protobom/protobom) as an optional backend for extended SBOM format coverage, avoiding duplication of format parsing | ||
| * Enriches and creates a Single Plane of Glass for SPDX SBOMs for all CNCF projects (the [cncf/sbom](https://github.com/cncf/sbom) project, is the origin use case that motivated BOMHort) | ||
| * Consumes OSV vulnerability data and supports OpenVEX statements for vulnerability suppression | ||
|
|
||
| Differentiation from existing projects: | ||
|
|
||
| * **SBOMit** (OpenSSF Sandbox): Focuses on verifiable SBOMs using in-toto attestation. BOMHort focuses on consumption and governance. Complementary, not competing. | ||
| * **protobom** (OpenSSF Sandbox): Format translation layer. BOMHort uses protobom as an optional backend for format coverage. Complementary. | ||
| * **GUAC** (OpenSSF Incubating): Graph-based supply chain aggregation. BOMHort focuses on Kubernetes-native deployment, ClickHouse analytics, and license governance with policy enforcement — different architecture and primary use case. | ||
| * **Dependency-Track** (OWASP): Similar governance focus but Java-based, not Kubernetes-native, and lacks ClickHouse-scale analytics or native license policy enforcement. | ||
|
|
||
| Non-Goals: | ||
|
|
||
| * BOMHort does NOT generate SBOMs — that is the job of tools like Syft, Trivy, and mikebom | ||
| * BOMHort does NOT pick a winning SBOM format — it supports both SPDX and CycloneDX natively | ||
| * BOMHort does NOT replace vulnerability scanners — it consumes and visualizes vulnerability data from OSV | ||
|
|
||
|
|
||
| ### Alignment with the OpenSSF MVVSR | ||
|
|
||
| The mission of BOMHort is aligned with the [Mission, Vision, Values, Strategy, and Roadmap (MVVSR)](https://openssf.org/about/) of the OpenSSF. | ||
|
|
||
| **Strategies:** | ||
|
|
||
| * **i) Catalyst for Change**: BOMHort provides open source tooling that enables organizations to operationalize SBOM consumption and governance at scale, driving practical adoption of supply chain transparency beyond SBOM generation. | ||
| * **ii) Educate and Empower the Modern Developer**: BOMHort offers a user-friendly platform that helps developers and security teams understand and manage their software supply chain risks through SBOM visualization, license compliance, and VEX-driven vulnerability management. | ||
| * **iii) Ecosystem Leader**: BOMHort is a Kubernetes-native, cloud-native platform that integrates with existing supply chain security standards (SPDX, CycloneDX, VEX, OSV) and OpenSSF projects (protobom), promoting interoperability and adoption. | ||
|
|
||
| **Pillars:** | ||
|
|
||
| * **i) Programs & Projects**: BOMHort is a technical tool that directly advances the operational use of SBOMs and vulnerability intelligence within the software supply chain. | ||
| * **ii) Education**: Through intuitive visualization, BOMHort makes SBOM data accessible to developers, security analysts, and compliance teams — not just SBOM experts. | ||
|
|
||
| ### IP policy and licensing due diligence | ||
|
|
||
| When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). | ||
|
|
||
| * Yes — the project is licensed under Apache-2.0 | ||
| * LF IP review to be initiated upon TAC approval | ||
|
|
||
| ### Project References | ||
|
|
||
| | Reference | URL | | ||
| |------------------------|------------------------------------------------------------------| | ||
| | Repo | https://github.com/seebom-labs/BOMHort | | ||
| | Documentation | https://docs.bomhort.dev | | ||
| | Architecture | https://docs.bomhort.dev/docs/architecture/ | | ||
| | Roadmap | https://docs.bomhort.dev/docs/roadmap/ | | ||
| | Contributing guide | https://github.com/seebom-labs/BOMHort/blob/main/CONTRIBUTING.md | | ||
| | Security policy | https://github.com/seebom-labs/BOMHort/blob/main/SECURITY.md | | ||
| | OpenSSF Best Practices | https://www.bestpractices.dev/projects/12903 | | ||
| | OpenSSF Scorecard | https://scorecard.dev/viewer/?uri=github.com/seebom-labs/BOMHort | | ||
| | License | Apache-2.0 | | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I very much appreciate this section which describes how BOMHort differs from existing OpenSSF projects.
In this context, however, I'd prefer more details regarding how GUAC and BOMHort differ and/or complement each other. On a high-level, both ingest and aggregate SBOMs (and other data sources/documents).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gkunz thank you for the question! Both ingest/aggregate SBOMs but with different approaches:
So this is our view for GUAC and BOMHort:
GUAC: graph-based, strong at relationship queries (dependency trees, blast radius). Research-oriented, single-project depth
BOMHort: tabular analytics, focused on fleet-scale compliance: license policy enforcement, VEX management, operational dashboards for compliance/legal teams.
BOMHort has a dedicated license governance implementation with configurable policies and active VEX management. GUAC has deeper graph traversal that BOMHort doesn't aim to replicate. Different strengths, different primary users.
This came up in the June 3 SCI WG meeting, including GUAC maintainer @mlieberman85 noting GUAC's complexity for operational use cases.
We see them as complementary, potential integration where BOMHort feeds data to GUAC's graph, and GUAC feeds certifier results back to BOMHort for governance dashboarding.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the detailed explanation, @mfahlandt.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I highly encourage both projects to make clear in their description who their primary users are expected to be and for what.
While it is great to see more projects coming to OpenSSF we need to make sure that people can quickly understand what is relevant to them. Otherwise, the diversity of OpenSSF tools becomes detrimental by leaving potential users confused and unsure what to use and for what purpose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Totally agree; we will add it to our description and documentation to really give end users a good understanding of where to use what! Thank you!