SBOM Play

BlackHat EU 2025 Arsenal Peerlist Launchpad GitHub Sponsors Buy Me A Coffee

About SBOM Play

Learn more about this client-side SBOM analysis tool

Project Overview

SBOM Play is a client-side web application for analyzing Software Bill of Materials (SBOM) data from GitHub repositories, organizations, and users. Built for security professionals to identify dependency vulnerabilities, assess license compliance, and understand software supply chain risks in real-time.

The tool features comprehensive SBOM analysis including dependency tracking, vulnerability detection via OSV.dev integration, license compliance checking, author analysis with funding detection, and SBOM quality assessment.

Key Principle: All analysis happens directly in your browser - no data ever leaves your machine.

Features
  • SBOM Analysis: Analyze SBOM data from GitHub organizations, users, and repositories
  • Dependency Tracking: Track dependency usage across multiple repositories
  • Vulnerability Detection: OSV.dev integration for vulnerability scanning
  • License Compliance: Comprehensive license categorization and risk assessment
  • Author Analysis: Author deduplication and funding opportunity detection
  • SBOM Quality Assessment: Quality scoring based on multiple categories
  • Multi-Organization Storage: Persistent storage using IndexedDB
  • Export/Import: Export and import analysis data with checksum validation
Privacy & Security
Privacy Assured: All analysis happens in your browser. No data is sent to any server.

SBOM Play is designed with privacy and security as top priorities:

  • Client-Side Processing: All SBOM analysis, dependency resolution, and vulnerability checking happens entirely in your browser
  • No Data Transmission: Your SBOM data never leaves your machine - it's processed locally
  • Local Storage: Analysis results are stored in your browser's IndexedDB, giving you full control
  • API Calls: Only public registry APIs are queried (npm, PyPI, crates.io, etc.) - no sensitive data is transmitted
  • GitHub Token: Optional GitHub Personal Access Token is used only for API rate limits and is never stored
Paranoid Self-Host / Airgapped Deployment

For security-conscious environments, airgapped networks, or self-hosted deployments, the following domains must be allowed through your firewall or proxy. Domains are grouped by functionality and criticality.

CDN / Static Assets (Required for UI)
DomainPurpose
cdn.jsdelivr.netBootstrap CSS/JS, marked.js, DOMPurify, js-yaml
cdnjs.cloudflare.comFont Awesome icons
unpkg.comLeaflet maps library
GitHub APIs (Core Functionality)
DomainPurpose
api.github.comREST API and GraphQL API for SBOM fetching
raw.githubusercontent.comRaw file access for FUNDING.yml info
github.comUser-facing links (non-essential for analysis)
Vulnerability Database
DomainPurpose
api.osv.devOSV vulnerability lookups
Package Registries (Dependency Resolution)
DomainPurpose
registry.npmjs.orgnpm package metadata
pypi.orgPyPI package metadata
crates.ioCargo/Rust package metadata
rubygems.orgRubyGems package metadata
search.maven.orgMaven package metadata
api.nuget.orgNuGet package metadata
proxy.golang.orgGo module metadata
api.deps.devGoogle deps.dev API (license/version info)
Map Services (Optional - Authors Page)
DomainPurpose
tile.openstreetmap.orgMap tiles for author locations
nominatim.openstreetmap.orgGeocoding service
Analytics (Optional - Can Be Blocked)
DomainPurpose
plausible.ioPrivacy-focused analytics (optional)
Fully Airgapped Environments: For complete network isolation, you can self-host the CDN assets (Bootstrap, Font Awesome, Leaflet) and modify the HTML files to reference your local copies. The tool will function with reduced features if package registries are unavailable.
How It Works
  1. Input: Enter a GitHub organization name, username, repository, or GitHub URL
  2. SBOM Fetching: The tool queries GitHub's Dependency Graph API to retrieve SBOM data for public repositories
  3. Dependency Resolution: Full dependency trees are resolved by querying package registries (npm, PyPI, crates.io, etc.)
  4. Analysis: Dependencies are analyzed for vulnerabilities (OSV.dev), licenses, authors, and quality metrics
  5. Storage: Results are stored locally in your browser's IndexedDB for future reference
  6. Visualization: View results across multiple pages: Overview, Licenses, Vulnerabilities, Quality, Dependencies, and Authors
End-of-Life (EOX) Detection Methodology

SBOM Play uses multiple data sources and heuristics to identify end-of-life (EOL) and end-of-support (EOS) dependencies. Understanding which software components are no longer maintained is critical for supply chain security.

1. Confirmed EOL/EOS (Primary Source)

We query the endoflife.date API for official end-of-life information. This database tracks EOL dates for major software products including:

  • Programming languages: Python, Node.js, Ruby, PHP, Go, Java, .NET, Rust
  • Frameworks: Django, Rails, Laravel, Angular, React, Vue, Spring
  • Databases: PostgreSQL, MySQL, MongoDB, Redis, Elasticsearch
  • Infrastructure: Kubernetes, Docker, Terraform, Nginx, Apache
Definitions:
EOL End-of-Life: No updates of any kind (features, bug fixes, or security patches)
EOS End-of-Support: No security updates, but may still receive critical bug fixes
2. Probable EOL (Staleness Heuristic)

When official EOL data is unavailable, we use staleness analysis to infer probable abandonment. Research shows that packages without updates for extended periods are likely unmaintained.

ThresholdClassificationRationale
24+ months (2 years) Probable EOL Most active packages release at least once per year. 2 years of inactivity suggests abandonment.
36+ months (3 years) Highly Likely EOL Very high confidence of abandonment. Security vulnerabilities likely unpatched.

Note: This heuristic has limitations. Some stable packages (e.g., small utilities) may be "complete" and not require updates. We recommend manual review for probable EOL findings.

3. Archived Repositories

When a GitHub repository is archived, it's a clear signal from the maintainer that the project is no longer active. We detect dependencies whose source repositories have been archived and flag them accordingly.

Archived = Definitive Signal: Unlike staleness (which is probabilistic), an archived repository is an explicit declaration by the maintainer that development has ceased.
References
Dependency Confusion Detection Methodology

Dependency confusion (also known as "namespace confusion" or "substitution attacks") is a supply chain attack where an attacker publishes a malicious package to a public registry with the same name as an internal/private package. When developers or CI/CD systems resolve dependencies, they may inadvertently download the malicious public package instead of the intended private one.

Real-World Impact: This attack vector has been used successfully against major organizations including Apple, Microsoft, PayPal, Shopify, Netflix, and many others, as disclosed by security researcher Alex Birsan in 2021.
How SBOM Play Detects Dependency Confusion

SBOM Play uses a multi-layered approach to detect potential dependency confusion vulnerabilities in your SBOMs:

Detection TypeSeverityDescription
Namespace Not Found HIGH The namespace/organization (e.g., @mycompany/ in npm or com.mycompany in Maven) doesn't exist in the public registry. An attacker could register the entire namespace and publish malicious packages. This is the highest-confidence indicator.
Package Not Found MEDIUM The specific package doesn't exist in the public registry. Could be a private/internal package that an attacker could claim by publishing a package with that name.
GitHub Action Missing HIGH For GitHub Actions, the owner/organization doesn't exist on GitHub. An attacker could create the organization and publish a malicious action.
Supported Registries (36+)

SBOM Play checks packages against 36+ public registries via the ecosyste.ms API, plus GitHub for Actions:

  • npm - JavaScript/Node.js
  • PyPI - Python
  • Crates.io - Rust
  • RubyGems - Ruby
  • Maven Central - Java
  • NuGet - .NET
  • Go Proxy - Go modules
  • Packagist - PHP/Composer
  • CocoaPods - iOS/macOS
  • Swift Package Index - Swift
  • Hex.pm - Elixir/Erlang
  • Pub.dev - Dart/Flutter
  • CPAN - Perl
  • CRAN - R
  • Hackage - Haskell
  • Clojars - Clojure
  • Julia Registry - Julia
  • Elm Packages - Elm
  • Deno - Deno/TypeScript
  • Racket - Racket
  • Bower - Frontend JS
  • Homebrew - macOS packages
  • Conda - Python/R/C
  • vcpkg - C/C++
  • Bioconductor - R Bioinformatics
  • Puppet Forge - Puppet modules
  • Terraform Registry - Terraform
  • Ansible Galaxy - Ansible
  • Chef Supermarket - Chef
  • WordPress Plugins - WordPress
  • Drupal - Drupal modules
  • Alpine APK - Alpine Linux
  • GitHub Actions - CI/CD workflows
  • ...and more
Detection Process
  1. PURL Parsing: Extract ecosystem and package name from Package URLs (PURLs) in the SBOM
  2. Namespace Extraction: Parse scoped packages (e.g., @scope/package) to identify namespaces
  3. Registry Query: Check if namespace/package exists via ecosyste.ms or direct registry APIs
  4. GitHub Verification: For GitHub Actions, verify organization and repository exist via GitHub API
  5. Evidence Collection: Store API response URLs as proof for findings
Limitations:
  • Detection is based on public registry lookups - private registries are not checked
  • Some packages may be intentionally unpublished (deprecated) rather than private
  • Rate limits on registry APIs may affect detection completeness
  • False positives may occur for system packages (e.g., Python built-ins)
Mitigation Strategies
  • Namespace Squatting: Register your organization's namespace on public registries (even if unused)
  • Scoped Packages: Use organization scopes (e.g., @mycompany/) for all internal packages
  • Private Registry Priority: Configure package managers to check private registries first
  • Package Lock Files: Use lock files with integrity hashes to prevent substitution
  • Registry Allowlisting: Configure CI/CD to only allow packages from approved registries
References
SBOM Compliance Standards

SBOM Play assesses SBOMs against multiple international compliance standards. Understanding these standards helps organizations ensure their SBOMs meet regulatory requirements.

CISA 2025 Minimum Elements (US Federal)

The Cybersecurity and Infrastructure Security Agency (CISA) updated SBOM requirements in August 2025, building upon the 2021 NTIA guidelines. Key additions marked with NEW.

ElementDescriptionStatus
Software ProducerEntity that creates components (was "Supplier Name")Renamed
Component NameName of each software componentRequired
Component VersionVersion identifierRequired
Software IdentifierPURL, CPE, OmniBOR, or SWHIDRequired
Component HashCryptographic fingerprint (SHA-256+)NEW
License InformationLegal terms for each componentNEW
Dependency RelationshipUpstream component relationshipsRequired
SBOM AuthorEntity that created the SBOM (was "Author of SBOM Data")Renamed
TimestampDate and time SBOM was assembledRequired
Tool NameTool used to generate SBOMNEW
Generation ContextPre-build, build, or post-build stageNEW
BSI TR-03183-2 v2.0 (German/EU)

The German Federal Office for Information Security (BSI) Technical Guideline provides requirements for SBOMs in the European context, with stricter requirements around cryptographic hashes.

RequirementDescription
SBOM SpecificationMust use CycloneDX 1.5+ or SPDX 2.2.1+
Creator ContactEmail or URL required for SBOM creator
Component HashSHA-256 minimum (stricter than CISA)
License ExpressionValid SPDX license expression required
SBOM URIUnique namespace or serial number
Source Code URILink to component source (where available)
References
SBOM Quality Assessment Methodology

Our quality scoring is aligned with sbomqs v2.0, an industry-leading SBOM quality assessment tool. The overall score is calculated from 7 weighted categories:

CategoryWeightWhat It Measures
Identification12%Component names, versions, unique identifiers (PURLs, CPEs)
Provenance15%SBOM author, timestamp, tool info, supplier data
Integrity18%Cryptographic hashes (SHA-256+), digital signatures
Completeness15%Dependencies, source URIs, component purpose
Licensing18%Valid SPDX expressions, concluded/declared licenses
Vulnerability12%Security references, vulnerability tracking readiness
Structural10%Spec version, format validity, schema compliance
Grading Scale:
A 90-100% | B 80-89% | C 70-79% | D 60-69% | F Below 60%
Showcased

SBOM Play has been featured and presented at:

Black Hat Europe 2025 Arsenal

December 2025, London, UK

Arsenal Page
Peerlist Launchpad

Product Launch

Peerlist Project
Presentation Slides

Black Hat EU 2025

View Slides
Version Information

Current Version: 0.0.6

View Changelog

Credits & Technologies
Technologies Used
  • Bootstrap 5: UI framework
  • Font Awesome: Icons
  • IndexedDB: Local storage
  • GitHub API: SBOM data source
  • OSV.dev API: Vulnerability data
  • Package Registries: npm, PyPI, crates.io, RubyGems, Maven, etc.
Inspirations

The following open-source projects provided insights and inspiration for key features:

  • sbomqs - Quality scoring logic and SBOM assessment methodology
  • DepConfuse - Dependency confusion detection logic
Acknowledgments

This project was developed with the assistance of AI tools, most notably Cursor IDE and Claude Code. These tools helped accelerate development and improve velocity. All AI-generated code has been carefully reviewed and validated through human inspection to ensure it aligns with the project's intended functionality and quality standards.

Links & Resources
GitHub Repository Cyfinoid Research README Changelog