SBOM Harmonization Plugfest 2024
November 19 - December 15, 2024 | Virtual
Update: Thank you to all who have submitted SBOMs. We received well over 170 SBOMs!
Update 2 (July 23, 2025): SEI recently published our report on the Software Bill of Materials (SBOM) Harmonization Plugfest 2024. Thank you to all who participated!
Investigate and understand how various tools may generate different SBOMs for the same software
Carnegie Mellon University's Software Engineering Institute (SEI) will conduct the Plugfest in support of the Cybersecurity and Infrastructure Security Agency (CISA). As the timeline below indicates, we will conduct an initial virtual meeting to review directions and expectations for the Plugfest on November 19, 2024. Participants will have until December 15, 2024 to submit SBOMs for the target software. We will meet a second time in January 2025 to review results with participants. Monitor this page for project updates!
CISA, Carnegie Mellon launch SBOM harmonization
project comparing transparency processes
Inside Cybersecurty, November 25, 2024
SBOM Plugfest Timeline
November 19, 2024
Meeting held to set rules and expectations
December 15, 2024
Deadline for participants to submit SBOMs extended from December 10
January 2025
Outbrief provided to participants
February 2025
Analysis results provided to CISA
Analyzing a piece of software at the same point in its lifecycle should produce similar dependency graphs. Divergent, tool-dependent results can undermine confidence in SBOMs. The plugfest is not a “bake-off” to determine the relative value of different tools, but an effort to understand differences in implementation and track down the root causes, including imprecise definitions or standards, how uncertainty is addressed, or other implementation decisions. The goal of this effort is to support SBOM implementation harmonization. We hope that feedback and lessons learned from the Plugfest will be useful for SBOM vendors, standards producers, and the SBOM community.
Our team selected eight potential software targets, covering a range of software languages, for SBOM generation. We will ask participants to generate Build and/or Source SBOMs in standard data formats (SPDX or CycloneDX). Participation is open to anyone who invests the “sweat equity” to generate and submit at least two SBOMs for any of the eight software targets. Participants’ contributions will help the SBOM community make progress on this common challenge by increasing confidence in SBOMs and enabling software transparency.