About SBOM Play

Learn more about this client-side SBOM analysis tool

Project Overview

SBOM Play is a client-side web application for analyzing Software Bill of Materials (SBOM) data from GitHub repositories, organizations, and users. Built for security professionals to identify dependency vulnerabilities, assess license compliance, and understand software supply chain risks in real-time.

The tool features comprehensive SBOM analysis including dependency tracking, vulnerability detection via OSV.dev integration, license compliance checking, author analysis with funding detection, and SBOM quality assessment.

Key Principle: All analysis happens directly in your browser - no data ever leaves your machine.

Features
  • SBOM Analysis: Analyze SBOM data from GitHub organizations, users, and repositories
  • Dependency Tracking: Track dependency usage across multiple repositories
  • Vulnerability Detection: OSV.dev integration for vulnerability scanning
  • License Compliance: Comprehensive license categorization and risk assessment
  • Author Analysis: Author deduplication and funding opportunity detection
  • SBOM Quality Assessment: Quality scoring based on multiple categories
  • Multi-Organization Storage: Persistent storage using IndexedDB
  • Export/Import: Export and import analysis data with checksum validation
Privacy & Security
Privacy Assured: All analysis happens in your browser. No data is sent to any server.

SBOM Play is designed with privacy and security as top priorities:

  • Client-Side Processing: All SBOM analysis, dependency resolution, and vulnerability checking happens entirely in your browser
  • No Data Transmission: Your SBOM data never leaves your machine - it's processed locally
  • Local Storage: Analysis results are stored in your browser's IndexedDB, giving you full control
  • API Calls: Only public registry APIs are queried (npm, PyPI, crates.io, etc.) - no sensitive data is transmitted
  • GitHub Token: Optional GitHub Personal Access Token is used only for API rate limits and is never stored
How It Works
  1. Input: Enter a GitHub organization name, username, repository, or GitHub URL
  2. SBOM Fetching: The tool queries GitHub's Dependency Graph API to retrieve SBOM data for public repositories
  3. Dependency Resolution: Full dependency trees are resolved by querying package registries (npm, PyPI, crates.io, etc.)
  4. Analysis: Dependencies are analyzed for vulnerabilities (OSV.dev), licenses, authors, and quality metrics
  5. Storage: Results are stored locally in your browser's IndexedDB for future reference
  6. Visualization: View results across multiple pages: Overview, Licenses, Vulnerabilities, Quality, Dependencies, and Authors
Version Information

Current Version: 0.0.3

View Changelog

Credits & Technologies
Technologies Used
  • Bootstrap 5: UI framework
  • Font Awesome: Icons
  • IndexedDB: Local storage
  • GitHub API: SBOM data source
  • OSV.dev API: Vulnerability data
  • Package Registries: npm, PyPI, crates.io, RubyGems, Maven, etc.
Acknowledgments

This project was developed with the assistance of AI tools, most notably Cursor IDE and Claude Code. These tools helped accelerate development and improve velocity. All AI-generated code has been carefully reviewed and validated through human inspection to ensure it aligns with the project's intended functionality and quality standards.

Links & Resources
GitHub Repository Cyfinoid Research README Changelog