Protobom: Open-source software supply chain tool

Protobom is an open-source software supply chain tool that enables all organizations, including system administrators and software development communities, to read and generate Software Bill of Materials (SBOMs), file data, and translate this data across standard industry SBOM formats.


“The Protobom project was born out of a project from CISA and DHS S&T to create an SBOM conversion tool. While considering the use cases, it became evident that beyond conversion, SBOM applications needed to read and write bills of materials. This led us to the design of a neutral representation that could capture all SBOM data. This intermediate representation is the core of Protobom,” Adolfo Garcia Veytia, the project maintainer, told Help Net Security.

Software Bill of Materials

The key to strengthening software security and software supply chain risk management is an SBOM, which is a nested, formatted inventory that lists the software’s components, including the supply chain relationships of various open-source and commercial components used in building software.

Understanding the software supply chain, obtaining an SBOM, and using it to analyze known vulnerabilities is crucial for managing cybersecurity risk.

Multiple SBOM data formats and identification schemes exist, making it challenging for organizations wanting to adopt SBOM usage. Protobom aims to mitigate this issue by offering a format-neutral data layer on top of the standards that lets applications work seamlessly with any SBOM.


Protobom can be integrated into both commercial and open-source applications, which will promote SBOM adoption and make SBOM creation and consumption easier and cheaper. Protobom tooling can access, read, and translate SBOMs in various data formats, thus providing seamless interoperability.

By integrating Protobom into applications that link SBOM information with external records of vulnerabilities and severity information from trusted sources, the applications can provide information on available patches and mitigations.

“In the upcoming releases, the team is planning to release a pluggable storage backend, add options to control the SBOM output and, now that it is under the OpenSSF, start collecting more libraries to handle an expanded realm of SBOM problems,” Veytia concluded.

Protobom is available for free on GitHub.

Must read:

Don't miss