This repository contains a proof-of-concept (PoC) implementation for disclosing limited but verifiable SBOM (Software Bill of Materials) information to authorized users using cryptographic methods.
Supported cryptographic methods:
- Merkle Trees (MT)
- Sparse Merkle Trees (SMT)
- Merkle Patricia Tries (MPT)
- Ordered Zero-Knowledge Sets (oZKS)
The project is divided into two tools
-
- Allows vendors to upload their product SBOMs, customers to retrieve commitments for specific SBOMs, and the system to generate cryptographic proofs confirming the presence of vulnerable dependencies. It also performs regular dependency-to-vulnerability mappings.
-
- Validates the cryptographic proofs generated by zkSBOM.
# Clone the repository
git clone git@github.com:chains-project/zkSBOM.git
# Initialize the submodules
git submodule update --init --recursive Follow the installation section in the corresponding README.md to install zkSBOM or zkSBOM Verifier.
See the usage guide in the corresponding README.md for zkSBOM or zkSBOM Verifier.
Sorger, T. (2025). Towards Zero-Knowledge Software Bill of Materials [Computer software]. https://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-369919
MIT License