SBOM Harmonization Plugfest 2024

November 19 - December 15, 2024 | Virtual

Update: Thank you to all who have submitted SBOMs. We received well over 170 SBOMs!

Update 2 (July 23, 2025): SEI recently published our report on the Software Bill of Materials (SBOM) Harmonization Plugfest 2024. Thank you to all who participated!

Participation Rules

Participation rules and expectations for the SBOM Harmonization Plugfest 2024 are detailed on this web page and were also reviewed in this video of the virtual meeting conducted on November 19, 2024.

SBOM Plugfest Timeline

November 19, 2024
Meeting held to set rules and expectations

December 15, 2024
Deadline for participants to submit SBOMs extended from December 10

January 2025
Outbrief provided to participants

February 2025
Analysis results provided to CISA

Software Targets

The following table has links to the software packages we have selected for the Plugfest. Using these links will ensure that everyone’s SBOM inputs are based on the same target software.

Package Name	Package Version	Language	For More Information (GitHub Repository)
NodeJS-Goof	Commit d240896 · 2023	JavaScript	Snyk Labs
httpie cli	Commit f4cf43e · July 2024	Python	HTTPie cli
Minecolonies	Commit 7c184da · Oct 2024	Java	Minecolonies
OpenCV	Commit 3919f33 · 17 Oct, 2024	C++	OpenCV
Gin	Commit: f05f966 · Sept 2024	Go	Gin-Gonic
hexyl	Commit 427a552 · Sept 2024	Rust	sharkdp
Dependency Track	4.12.1 - 25 Oct, 2024	OCI	Dependency-Track
PHPMailer	Commit 182f7b9 · 15 Oct, 2024	PHP	PHPMailer
jq	Commit96e8d89 · 20 Nov, 2024	C	jqlang/jq

Submission Instructions

Full participation is open to anyone who submits SBOMs for at least two of the eight software targets. The submission deadline is December 15, 2024.
Create a folder for your organization (or tool) in the SBOM Plugfest 2024 directory. If you wish you may secure it so that only you and the CISA/SEI analysts have read access.
Store your SBOM results using the following directory structure: <organization>/<target name>/<file format>.
Submit (source, build) SBOMs in either or both standards. Use the following file-naming conventions for the SBOMs:
1. SPDX: example. → example.spdx.json or example.spdx or example.spdx.xml (for more information, see the SPDX website https://spdx.github.io/spdx-spec).
2. CycloneDX: example/cyclonedx/bom.xml → example.cyclonedx.bom.xml
You may enrich the SBOM as you normally would.
Validate your SBOM before submitting it; consider using one of the following tools:
1. SPDX: https://tools.spdx.org/app/ntia_checker, https://tools.spdx.org/app/validate
2. CycloneDX: https://github.com/CycloneDX/sbom-utility
Upload a README file that provides orientation and context for reviewers and includes the following information:
1. POC for SBOM submission
2. version of the tool being used
3. types of SBOMs being represented (e.g., Source, Build)
4. how the SBOM was validated, including the name of the tool used
5. additional information that might be useful to reviewers (e.g., details on any manual edits or enrichments made to the tool generated SBOM).
Add the SBOM files generated for the reference examples to your tool’s folder.

Outbrief

In January 2025, we will conduct an outbrief session where we will review the initial results and get feedback and inputs on approaches for improved harmonization and alignment on generating SBOMs. Participation in the outbrief will be limited to those who submitted SBOMs for this effort.

Analysis Report

We plan to complete an analysis report for CISA in February 2025.

While we thank those who participate, we plan to anonymize the results by not listing the tool names with the results.

Feedback/Help

If you have feedback or questions, send email to the SEI points of contact (POCs) via info@sei.cmu.edu.