- Build a compact Artifact Dependency Graph (ADG), tracking every source code file incorporated into each built artifact.
- Embed a unique, content-addressable reference for that Artifact Dependency Graph (ADG), the GitBOM identifier, into the artifact at build time.
GitBOM is designed to:
- Consistently construct verifiable Artifact Dependency Graph (ADG)s across languages, environments, and packaging formats, with zero developer effort, involvement, or awareness
- Enable automatic, verifiable artifact resolution across today’s diverse software supply chains
- Complement SBOMs, such as SPDX, CycloneDX, or SWID
- Co-exist with, but not require, version control systems
- Run-time detection of potential vulnerabilities, regardless of the depth in the ADG for every software artifact from which that vulnerability originated
- Post-exploit forensics
- enables any metadata (SBOM, license, support info, security advisories, etc.) to be linked to a specific set of corresponding software artifacts
- provides a precise artifact identifier which can be used in SBOMs in situations where naming schemes may be ambiguous
In short, it would let anyone easily answer the question, “Does this product contain log4j?”
How does GitBOM improve software identification and vulnerability management?
GitBOM proposes a solution to the completeness and the efficiency challenges facing other supply chain tools.
- By correlating every piece of software with a verifiable and complete Artifact Dependency Graph (ADG) of all the “ingredients” that went into it (source files, dependencies, object files, etc.), GitBOM enables the identification of software derived from sources known to contain vulnerabilities.
- GitBOM only includes the minimum information – a “fingerprint” – of the dependency graph to enable efficient run-time scanning for a known-vulnerable artifact
- A GitBOM Artifact Dependency Graph (ADG) can be cross-referenced against known vulnerabilities, regardless of the dependency depth or language.
How does GitBOM work?
- Every artifact is a blob
- Every blob can be referenced by its gitoid
- The gitoid may be used as an artifact ID for leaf artifacts (In fact, today most source code artifacts are already stored with their git commit as their ID)
- Artifact IDs can be extended to derived artifacts by producing GitBOM Documents
- Build tools can embed GitBOM Document Identifiers into the derived artifacts they produce
We believe this approach can work across all packaging formats, language ecosystems, and operating systems.
And we’d like your help to build it.