SBOM datasets #6
Description
As promised in yesterday meeting, SBOM datasets
-
bom-shelter (in-the-wild collections of 50+ real open source SBOMs and 3,000 in-the-lab SBOMs generated from syft, trivy, bom, and tern; in CycloneDX and SPDX formats) https://github.com/chainguard-dev/bom-shelter
-
Wild SBOMs: a Large-scale Dataset of Software Bills of Materials from Public Code (78,000 SBOMs; 80% is CycloneDX, the rest is SPDX) https://arxiv.org/abs/2503.15021
-
A Dataset of Software Bill of Materials for Evaluating SBOM Consumption Tools (46 SBOMs generated from real-world Java projects; all of them have SPDX) https://arxiv.org/abs/2504.06880
-
@andrew proposed that this could be used to analyse the common filenames, file extensions, and locations for SBOMs -- which can be used as an input for Wanted: Recommendation for common native metadata keyword for SBOM file links #5