SBOM Harmonization Plugfest 2024
November 19, 2024 | Online
Investigate and understand how various tools may generate different SBOMs for the same software
Carnegie Mellon University's Software Engineering Institute (SEI) will conduct the Plugfest in support of the Cybersecurity and Infrastructure Security Agency (CISA). As the timeline below indicates, we will conduct an initial virtual meeting to review directions and expectations for the Plugfest on November 19, 2024. Participants will have until December 10, 2024 to submit SBOMs for the target software. We will meet a second time in early January 2025 to review results with participants.
Monitor this page for project updates.
SBOM Plugfest Timeline
November 19, 2024
Meeting held to set rules and expectations
Analyzing a piece of software at the same point in its lifecycle should produce similar dependency graphs. Divergent, tool-dependent results can undermine confidence in SBOMs. The plugfest is not a “bake-off” to determine the relative value of different tools, but an effort to understand differences in implementation and track down the root causes, including imprecise definitions or standards, how uncertainty is addressed, or other implementation decisions. The goal of this effort is to support SBOM implementation harmonization. We hope that feedback and lessons learned from the Plugfest will be useful for SBOM vendors, standards producers, and the SBOM community.
Our team selected eight potential software targets, covering a range of software languages, for SBOM generation. We will ask participants to generate Build and/or Source SBOMs in standard data formats (SPDX or CycloneDX). Participation is open to anyone who invests the “sweat equity” to generate and submit at least two SBOMs for any of the eight software targets. Participants’ contributions will help the SBOM community make progress on this common challenge by increasing confidence in SBOMs and enabling software transparency.
Questions? Contact info@sei.cmu.edu