Slides from my talk at BSides Toronto on 2025-10-04 "OWASP Transparency Exchange API: How We (Will) Share xBOMs" Talk Video: https://www.youtube.com/watch?v=rH29kdaLUJA Slides describe: 1. Current states of SBOMs 2. What are xBOMs 3. What prevents organizations from sharing xBOMs and what pushes them towards sharing 4. How organizations share xBOMs now 5. TEA as a unified standard for sharing authoritative metadata 6. TEA elements: Product-Component model, Discovery via TEI, Consumer and Publisher API, Insights

1. How We (Will)
Share xBOMs

2. About - Pavel Shukhman
Founded Reliza in 2019
Building ReARM - xBOM tool
TEA Contributor, participant of
OpenSSF SBOM groups
Player and organizer of social
deduction games

3. SBOM Use-Cases
Vulnerability & Risk Management
Tracking Updates
License Management & Licensing Risks
EOX management
Product / Vendor / Investor Risk Assessment
Incident Response, Servicing Devices
Compliance (GRC)
* Based on OpenSSF Whitepaper

4. Beyond SBOMs: xBOMs and More
xBOM (SBOM, HBOM,
AIBOM, CBOM, ...)
Assertions, Attestations
VDR, VEX, BOV
CLE
Documentation,
Certifications,
Formulations

5. SBOM generation may seem like
a solved problem, BUT...

6. Discovering the identity, author, license,
composition, ... of a component is hard

7. Component maintainer
is the best source of data!

8. Organizations want data
from others but hesitate
to share their own

9. Fear of (Not) Sharing
Why share?
What to share?
Who to share with?
When to share?
Can (Not) sharing lead to hacks?
Can (Not) sharing lead to lost
business?
Can (Not) sharing lead to fines?

10. Regulations Knocking
Canada: signatory of A Shared Vision
of SBOM (17 countries), ISTM.10.071
EU CRA, BSI TR-03183
US EOs 14028, 14144, OMB M-22-18,
Section 524B of the FD&C Act
RBI and SEBI (India)

11. The sharing train is moving, but how?

12. How xBOMs are Shared Today
Email
OCI Registries
Trust Portals
Password-protected URLs
Manufacturer Usage
Description (MUD) and .well-
known/sbom (RFC 9472)

13. TEA Provides Unified Distributed Way to Source
Authoritative Data Across Supply Chain

14. Other OWASP TEA Use-Cases
Retrieval of GRC Artifacts for a Product
Obtain Summarized CLE (Common Lifecycle
Enumeration), is my product supported, is there an
update?
Purchasing Decisions
Regulatory Compliance
Am I affected by this new 0-day (and other insights)

15. OWASP TEA Elements
Product - Component Data Model
TEI-based Discovery Mechanism
OpenAPI Consumer API
OpenAPI Publisher API
Insights

16. Product - Component Data Model
Apache Log4j
Log4j v2.25.1
Product Product Release
Log4j Core
Component
Log4j v2.25.0
Log4j API
Log4j Core v2.25.1
Log4j Core v2.25.0
Log4j API v2.25.1
Log4j API v2.25.0
Component Release

17. Discovery Based on DNS
urn:tei:<type>:<domain-name>:<unique-identifier>
Types: PURL, UUID, HASH, SWID, later: EAN, GS1, STD, others
TEI
Product Release
urn:tei:uuid:demo.rearmhq.com:ff08fa6a-1df9-4ab7-b3ec-e02837845a06
Transparency Exchange Identifier is a unique identifier
assigned by manufacturer and included with the product.
urn:tei:purl:cyclonedx.org:pkg:pypi/cyclonedx-python-lib@8.4.0

18. TEA Collection is a Fixed Set of
Artifacts per Release
Adding, removing or modifying an
artifact creates a new version of the
collection
All versions of each collection are
preserved in TEA

19. Insights (Future versions of TEA)
Which product or component
releases contain Log4j?
Which product or component
releases are affected by Log4Shell
(CVE-2021-44228)?

20. Sample TEA Flow - Apache Log4j2
urn:tei:uuid:demo.rearmhq.com:ff08fa6a-1df9-4ab7-b3ec-e02837845a06

21. Roadmap to Standard

22. Get Inovled and References
https://github.com/CycloneDX/transparency-exchange-api/
https://cyclonedx.org/slack/invite
https://cyclonedx.org/participate/contribute/
https://tc54.org/tea/
https://openssf.org/resources/improving-risk-management-decisions-with-sbom-data/
https://www.cisa.gov/sites/default/files/2025-09/joint-guidance-a-shared-vision-of-
software-bill-of-materials-for-cybersecurity_508c.pdf
https://www.youtube.com/watch?v=UfzDRaP-Pvw