icon-carat-right menu search cmu-wordmark

SBOM Harmonization Plugfest Opens Call for Participants

SBOM Harmonization Plugfest Opens Call for Participants
Article

Update: SBOM submission guidelines have been expanded to include new software targets, and the deadline for submissions has been extended. Anyone can submit SBOMs until December 15, regardless of attendance at the November 19 launch meeting.

November 8, 2024­—The Software Engineering Institute (SEI) is seeking participants for a project to investigate how various tools generate different software bills of materials (SBOMs) for the same software. Tool vendors and others who generate SBOMs are invited to participate in the SBOM Harmonization Plugfest. The initial project meeting will take place virtually November 19. Register by November 18 to participate.

An SBOM records the details and supply chain relationships of a software product’s components. Different SBOM tools should produce similar records for a piece of software at a given point in its lifecycle, but this is not always the case. The divergence of SBOMs for individual pieces of software undermines confidence in these important documents for software quality and security.

The SEI is conducting a project to uncover the root causes of SBOM divergence, such as imprecise definitions or standards, how uncertainty is addressed, or other implementation decisions. The goal is to support SBOM implementation harmonization, not to evaluate different tools. The SBOM Harmonization Plugfest, named after electronics and software interoperability testing events, is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA).

The project will begin on November 19 with virtual meetings to review directions and expectations for Plugfest participants. Participants may register for either the 9 a.m. or 3 p.m. meeting, all times EST. Participation is open to anyone who can generate and submit at least two SBOMs for any of the eight software targets by December 10. The SEI will hold a results briefing for participants in January 2025, and the complete analysis is expected to follow in February.

Contributions to this project will help the SBOM community make progress on the common challenge of SBOM divergence by increasing confidence in SBOMs and enabling software transparency.

Register to participate in the SBOM Harmonization Plugfest by November 18. For more information, visit the event’s web page or contact info@sei.cmu.edu.