Rootconf 2025 Annual Conference CfP

Talk Description

In this talk, will discuss the OSS tools designed for SBOM workflows from post SBOM generation to SBOM platforms which includes SBOM toolings like sbomqs, sbomasm, and sbommv and alongside SBOM platforms like Dependency Track.

Since SBOMs became critical part of software supply chain security, the industry is not limited to only generating SBOMs, but it has moved one step ahead with a requirement of good or high quality SBOMs.

We’ll look at how to score SBOMs for quality, perform compliance checks against frameworks like NTIA, CISA, and CRA, and enrich SBOMs to fill up the missing metadata that often causes friction in downstream workflows.

Finally, we’ll dive into how SBOMs can be enriched, and then finally moving SBOMs seamlessly from a github/folder/build system to SBOM management platforms like Dependency-Track using automation tools such as sbommv, eliminating manual steps and aligning with modern DevSecOps pipelines.

Takeaways from this session
Understanding the process of scoring SBOMs, complying and enriching to make good quality SBOMs.
Automating the process of seamlessly transferring SBOMs from one platform(build system) to another(dependency track).

Which audience segment is your talk/session going to beneficial for?
Folks working on fields like security, AppSec, students, curious gigs, SBOM enthusiasts, and Software Supply Chain Security folks.

About me
Hey, I am Vivek !! I’m passionate about open-source software and actively contribute to improving software supply chain security, with a strong focus on SBOM (Software Bill of Materials) tooling. I work on projects like sbommv, sbomqs, and sbomasm — as a Open Source Developer for Interlynk, a company committed to advancing OSS and SBOM platforms. Previously, I contributed to Kyverno, a Kubernetes-native policy engine, and its associated policies repository. Moreover, far now my journey has been tilted towards Open Source.