SBOM Play

🚧 Work in Progress
This page is currently being updated as and when Anant gets time. Once it is fully updated, this message will be removed.

TL;DR

🚀 What it does: Browser-based SBOM analysis tool for GitHub repositories

💡 Best for: Developers and security teams analyzing software supply chains

🔍 Key features: Dependency tracking, supply chain analysis, privacy-aware processing

🌐 Website 📁 GitHub

SBOM Play is a browser-based, privacy-aware tool for analyzing Software Bill of Materials (SBOM) data from GitHub repositories, organizations, and users. This innovative web application provides comprehensive dependency analysis and supply chain security insights without requiring server-side processing.

Project Overview

SBOM Play addresses the critical need for software supply chain security analysis by providing a client-side tool that can analyze dependency data from GitHub repositories. The tool helps organizations understand their software dependencies, track usage patterns, and identify potential security risks in their supply chain.

Key Features

🔍 Comprehensive SBOM Analysis

GitHub Integration: Analyze SBOM data from GitHub organizations and users
Dependency Tracking: Track dependency usage across multiple repositories
Distribution Reports: Generate detailed dependency distribution reports
Multi-Format Support: Supports all GitHub-supported dependency file formats

🛡️ Privacy-Aware Design

Client-Side Processing: All analysis happens in the browser
No Server Dependencies: No data sent to external servers
Local Storage: Results stored locally in browser storage
Data Control: Users maintain complete control over their data

📊 Advanced Analytics

Dependency Statistics: Comprehensive statistics and metrics
Usage Patterns: Track how dependencies are used across repositories
Vulnerability Analysis: Identify potential security risks
License Compliance: Analyze license compliance across dependencies

🔧 Export and Management

JSON Export: Export analysis results in structured JSON format
Multi-Organization Storage: Keep data for multiple organizations
Bulk Operations: Export all analyses or clear data in bulk
Persistent Storage: Data persists between browser sessions

Technical Implementation

Technology Stack

Frontend: Pure HTML5, CSS3, Vanilla JavaScript
APIs: GitHub Dependency Graph API
Storage: Browser localStorage with compression
Architecture: Client-side only, no server dependencies

Core Components

GitHub Client: Handles API interactions and rate limiting
SBOM Processor: Processes and analyzes SBOM data
Storage Manager: Manages local data storage and compression
UI Components: Interactive web interface for analysis

Usage

Quick Start

Open https://cyfinoid.github.io/sbomplay/ in your browser
Optionally enter a GitHub Personal Access Token for better rate limits
Enter an organization name or username to analyze
Click “Analyze Organization or User” to start the analysis
View results and export data as needed

Supported Dependency Formats

Node.js: package.json
Python: requirements.txt
Ruby: Gemfile
Java: pom.xml, build.gradle
Rust: Cargo.toml
PHP: composer.json
And many more: All GitHub-supported formats

Advanced Features

Rate Limit Management

Unauthenticated: 60 requests/hour
Authenticated: 5,000 requests/hour
Automatic Retry: Handles rate limiting with automatic retry
Smart Queuing: Queues requests when limits are reached

Storage Management

Compression: Large data automatically compressed
Quota Monitoring: Real-time storage usage tracking
Smart Limits: Maximum 10 organizations and 20 history entries
Automatic Cleanup: Old data removed when quota exceeded

Multi-Organization Support

Persistent Storage: All analysis data saved between sessions
Organization Overview: View all stored analyses with statistics
Individual Management: Load, view, or remove specific organization data
Bulk Export: Export all data or clear all stored analyses

Use Cases

SBOM Play is valuable for:

Security Operations

Supply Chain Security: Identify vulnerabilities in software dependencies
Risk Assessment: Assess security risks across software supply chain
Compliance Auditing: Ensure compliance with security policies
Vulnerability Management: Track and manage dependency vulnerabilities

Development Teams

Dependency Analysis: Understand project dependencies and usage
License Compliance: Ensure proper license usage across projects
Update Planning: Plan dependency updates and migrations
Architecture Review: Analyze dependency architecture and relationships

DevOps and Operations

Infrastructure Planning: Plan infrastructure based on dependency requirements
Deployment Strategy: Understand deployment dependencies
Monitoring Setup: Set up monitoring for critical dependencies
Backup and Recovery: Plan backup strategies for dependency data

Project Impact

Community Adoption

15 Stars: Strong community interest in supply chain security tools
2 Forks: Active community contributions and modifications
3 Watchers: Regular users following project updates
MIT License: Open source availability for community use

Innovation Value

Privacy-First: Demonstrates privacy-aware security tooling
Client-Side Processing: Shows how to build powerful tools without servers
Supply Chain Security: Addresses critical software supply chain challenges
Open Source: Contributes to the supply chain security ecosystem

Technical Architecture

Client-Side Architecture

No Server Dependencies: Entire application runs in the browser
API Integration: Direct integration with GitHub APIs
Local Processing: All analysis performed locally
Data Persistence: Results stored in browser localStorage

Data Processing

SBOM Format Support: Correctly processes GitHub’s SBOM format
Version Handling: Properly handles versionInfo field from GitHub
Dependency Resolution: Resolves complex dependency relationships
Statistics Generation: Generates comprehensive analytics

Deployment and Development

GitHub Pages Deployment

Automatic Deployment: Uses GitHub Pages for hosting
Production Build: Automated deployment to /docs folder
Version Control: Git-based deployment with signed commits
Live Demo: Available at https://cyfinoid.github.io/sbomplay/

Development Workflow

Local Development: Edit files directly in main folder
Testing: Open index.html in browser for testing
Deployment: Use deploy.sh for automatic deployment
Version Management: Git-based version control with signed commits

Future Development

Planned Features

Enhanced Analytics: More detailed dependency analysis
Vulnerability Integration: Integration with vulnerability databases
Custom Reports: Customizable reporting and visualization
API Integration: Additional API integrations for enhanced analysis

Community Contributions

Open Source: Welcomes community contributions
Issue Tracking: Active issue tracking and resolution
Feature Requests: Community-driven feature development
Documentation: Comprehensive documentation and examples

A privacy-aware, browser-based tool for Software Bill of Materials analysis and supply chain security assessment

Part of Cyfinoid Research’s commitment to advancing software supply chain security