How We (Will)
Share xBOMs
About - Pavel Shukhman
Founded Reliza in 2019
Building ReARM - xBOM tool
TEA Contributor, participant of
OpenSSF SBOM groups
Player and organizer of social
deduction games
SBOM Use-Cases
Vulnerability & Risk Management
Tracking Updates
License Management & Licensing Risks
EOX management
Product / Vendor / Investor Risk Assessment
Incident Response, Servicing Devices
Compliance (GRC)
* Based on OpenSSF Whitepaper
Beyond SBOMs: xBOMs and More
xBOM (SBOM, HBOM,
AIBOM, CBOM, ...)
Assertions, Attestations
VDR, VEX, BOV
CLE
Documentation,
Certifications,
Formulations
SBOM generation may seem like
a solved problem, BUT...
Discovering the identity, author, license,
composition, ... of a component is hard
Component maintainer
is the best source of data!
Organizations want data
from others but hesitate
to share their own
Fear of (Not) Sharing
Why share?
What to share?
Who to share with?
When to share?
Can (Not) sharing lead to hacks?
Can (Not) sharing lead to lost
business?
Can (Not) sharing lead to fines?
Regulations Knocking
Canada: signatory of A Shared Vision
of SBOM (17 countries), ISTM.10.071
EU CRA, BSI TR-03183
US EOs 14028, 14144, OMB M-22-18,
Section 524B of the FD&C Act
RBI and SEBI (India)
The sharing train is moving, but how?
How xBOMs are Shared Today
Email
OCI Registries
Trust Portals
Password-protected URLs
Manufacturer Usage
Description (MUD) and .well-
known/sbom (RFC 9472)
TEA Provides Unified Distributed Way to Source
Authoritative Data Across Supply Chain
Other OWASP TEA Use-Cases
Retrieval of GRC Artifacts for a Product
Obtain Summarized CLE (Common Lifecycle
Enumeration), is my product supported, is there an
update?
Purchasing Decisions
Regulatory Compliance
Am I affected by this new 0-day (and other insights)
OWASP TEA Elements
Product - Component Data Model
TEI-based Discovery Mechanism
OpenAPI Consumer API
OpenAPI Publisher API
Insights
Product - Component Data Model
Apache Log4j
Log4j v2.25.1
Product Product Release
Log4j Core
Component
Log4j v2.25.0
Log4j API
Log4j Core v2.25.1
Log4j Core v2.25.0
Log4j API v2.25.1
Log4j API v2.25.0
Component Release
Discovery Based on DNS
urn:tei:<type>:<domain-name>:<unique-identifier>
Types: PURL, UUID, HASH, SWID, later: EAN, GS1, STD, others
TEI
Product Release
urn:tei:uuid:demo.rearmhq.com:ff08fa6a-1df9-4ab7-b3ec-e02837845a06
Transparency Exchange Identifier is a unique identifier
assigned by manufacturer and included with the product.
urn:tei:purl:cyclonedx.org:pkg:pypi/cyclonedx-python-lib@8.4.0
TEA Collection is a Fixed Set of
Artifacts per Release
Adding, removing or modifying an
artifact creates a new version of the
collection
All versions of each collection are
preserved in TEA
Insights (Future versions of TEA)
Which product or component
releases contain Log4j?
Which product or component
releases are affected by Log4Shell
(CVE-2021-44228)?
Sample TEA Flow - Apache Log4j2
urn:tei:uuid:demo.rearmhq.com:ff08fa6a-1df9-4ab7-b3ec-e02837845a06
Roadmap to Standard
Get Inovled and References
https://github.com/CycloneDX/transparency-exchange-api/
https://cyclonedx.org/slack/invite
https://cyclonedx.org/participate/contribute/
https://tc54.org/tea/
https://openssf.org/resources/improving-risk-management-decisions-with-sbom-data/
https://www.cisa.gov/sites/default/files/2025-09/joint-guidance-a-shared-vision-of-
software-bill-of-materials-for-cybersecurity_508c.pdf
https://www.youtube.com/watch?v=UfzDRaP-Pvw
OWASP Transparency Exchange API: How We (Will) Share xBOMs

OWASP Transparency Exchange API: How We (Will) Share xBOMs

  • 1.
  • 2.
    About - PavelShukhman Founded Reliza in 2019 Building ReARM - xBOM tool TEA Contributor, participant of OpenSSF SBOM groups Player and organizer of social deduction games
  • 3.
    SBOM Use-Cases Vulnerability &Risk Management Tracking Updates License Management & Licensing Risks EOX management Product / Vendor / Investor Risk Assessment Incident Response, Servicing Devices Compliance (GRC) * Based on OpenSSF Whitepaper
  • 4.
    Beyond SBOMs: xBOMsand More xBOM (SBOM, HBOM, AIBOM, CBOM, ...) Assertions, Attestations VDR, VEX, BOV CLE Documentation, Certifications, Formulations
  • 5.
    SBOM generation mayseem like a solved problem, BUT...
  • 6.
    Discovering the identity,author, license, composition, ... of a component is hard
  • 7.
    Component maintainer is thebest source of data!
  • 8.
    Organizations want data fromothers but hesitate to share their own
  • 9.
    Fear of (Not)Sharing Why share? What to share? Who to share with? When to share? Can (Not) sharing lead to hacks? Can (Not) sharing lead to lost business? Can (Not) sharing lead to fines?
  • 10.
    Regulations Knocking Canada: signatoryof A Shared Vision of SBOM (17 countries), ISTM.10.071 EU CRA, BSI TR-03183 US EOs 14028, 14144, OMB M-22-18, Section 524B of the FD&C Act RBI and SEBI (India)
  • 11.
    The sharing trainis moving, but how?
  • 12.
    How xBOMs areShared Today Email OCI Registries Trust Portals Password-protected URLs Manufacturer Usage Description (MUD) and .well- known/sbom (RFC 9472)
  • 13.
    TEA Provides UnifiedDistributed Way to Source Authoritative Data Across Supply Chain
  • 14.
    Other OWASP TEAUse-Cases Retrieval of GRC Artifacts for a Product Obtain Summarized CLE (Common Lifecycle Enumeration), is my product supported, is there an update? Purchasing Decisions Regulatory Compliance Am I affected by this new 0-day (and other insights)
  • 15.
    OWASP TEA Elements Product- Component Data Model TEI-based Discovery Mechanism OpenAPI Consumer API OpenAPI Publisher API Insights
  • 16.
    Product - ComponentData Model Apache Log4j Log4j v2.25.1 Product Product Release Log4j Core Component Log4j v2.25.0 Log4j API Log4j Core v2.25.1 Log4j Core v2.25.0 Log4j API v2.25.1 Log4j API v2.25.0 Component Release
  • 17.
    Discovery Based onDNS urn:tei:<type>:<domain-name>:<unique-identifier> Types: PURL, UUID, HASH, SWID, later: EAN, GS1, STD, others TEI Product Release urn:tei:uuid:demo.rearmhq.com:ff08fa6a-1df9-4ab7-b3ec-e02837845a06 Transparency Exchange Identifier is a unique identifier assigned by manufacturer and included with the product. urn:tei:purl:cyclonedx.org:pkg:pypi/cyclonedx-python-lib@8.4.0
  • 18.
    TEA Collection isa Fixed Set of Artifacts per Release Adding, removing or modifying an artifact creates a new version of the collection All versions of each collection are preserved in TEA
  • 19.
    Insights (Future versionsof TEA) Which product or component releases contain Log4j? Which product or component releases are affected by Log4Shell (CVE-2021-44228)?
  • 20.
    Sample TEA Flow- Apache Log4j2 urn:tei:uuid:demo.rearmhq.com:ff08fa6a-1df9-4ab7-b3ec-e02837845a06
  • 21.
  • 22.
    Get Inovled andReferences https://github.com/CycloneDX/transparency-exchange-api/ https://cyclonedx.org/slack/invite https://cyclonedx.org/participate/contribute/ https://tc54.org/tea/ https://openssf.org/resources/improving-risk-management-decisions-with-sbom-data/ https://www.cisa.gov/sites/default/files/2025-09/joint-guidance-a-shared-vision-of- software-bill-of-materials-for-cybersecurity_508c.pdf https://www.youtube.com/watch?v=UfzDRaP-Pvw