Why do this?
If you are managing fine-grained sharing of your SBOM with customers and partners through RKVST, you may not always know who wants or needs to know the SBOM for any given version of one of your products.
By publishing a RefBOM to SBOM Hub, you can advertise the availability of SBOMs publicly without disclosing sensitive details. Anyone can then easily discover your SBOM, identify its RKVST Asset Identity, and engage with you through RKVST to participate in controlled, strongly governed distribution of your software supply chain information.
RefBOMs act like a billboard for your software supply chain information, providing highly visible and searchable indexing for your SBOMs without compromising data governance or responsible disclosure processes.
The RefBOM is a minimal SBOM that carries enough information to identify the component and version released, and a pointer to the RKVST record that securely stores and distributes the complete SBOM record.
The Cyclone DX format provides a helpful 'externalReferences' feature which allows additional links and comments to be added to an SBOM, and this is what we use to link public records to RKVST Assets. The following is a reasonable template for creating your own, which can be done with simple script or text editing tools:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1" serialNumber="urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx">
<comment>This SBOM is selectively shared on the Jitsuin RKVST platform</comment>
NOTE: The URL you put into the reference should be the full API path to the asset, not the web UI path. This is illustrated above.
Ideally you will upload the full SBOM to RKVST and the RefBOM to RKVST SBOM Hub in the same operation, but that may not always be possible. In particular, you need to upload to RKVST first because you will need to know the RKVST identity (and hence URL) of the RKVST Asset that tracks and distributes the SBOM for this component in order to insert it into the RefBOM.
Nonetheless the process is very simple:
For publishers of SBOM, knowing who needs to know about a particular update is hard. And for consumers the task of knowing where to look for updates can be equally confounding. Publishing RefBOMs to the SBOM Hub solves this problem while RKVST retains the strong data protection and governance controls required for your full SBOM.
Let us know what you think, and happy sharing!