Cloudflare Cowboy Supply-chain pillar →

Knowledge base

Knowledge base

Plain-English explainers on software supply-chain security, SBOMs, open-source licensing, and the regulations behind them. Grouped into niches, drawn from the real supply-chain work on this site.

SBOM Basics & Lifecycle

What a software bill of materials is, the formats it ships in, and the full lifecycle of work around the document.

6 min read

What is an SBOM?

A Software Bill of Materials is a complete, machine-readable inventory of everything your software is built from. Here is what that means, what goes in one, and why it has become a requirement rather than a nice-to-have.

Read → 5 min read

SPDX vs CycloneDX

If you are producing an SBOM, you will produce it in one of two formats: SPDX or CycloneDX. Here is where each came from, what each is good at, and how to choose.

Read → 7 min read

The SBOM lifecycle: before and after the document

Most coverage of SBOMs stops at "here is how you generate one." Generating it is the cheap part. This walks the full lifecycle, because the value is on either side of the document.

Read →

Open-Source Licensing

How open-source licenses work, what copyleft obligates, and why a single dependency can change what you owe.

7 min read

Permissive vs copyleft licenses

Every open-source license falls on a spectrum from permissive to copyleft. Knowing which is which, and what each obligates you to do, is the core of open-source license compliance.

Read → 6 min read

What is copyleft (and why it matters)?

Copyleft is the idea that turned open source into a movement. It is also the single licensing concept most likely to surprise a business that did not know it was there.

Read → 6 min read

What does "no AGPL" really mean?

If you have seen a "no AGPL" rule in a company policy and wondered why one license gets singled out, this explains exactly what it does, and what it does not.

Read →

Compliance, Security & Practice

Who the regulations apply to, how composition analysis prioritizes real risk, and how to stand the tooling up in CI.

7 min read

Who needs an SBOM? The regulations driving demand

A few years ago an SBOM was a nice-to-have. Now it is a procurement requirement in several major markets. Here is who is mandating them and when.

Read → 6 min read

What is software composition analysis (SCA)?

If an SBOM is the inventory of what your software is made of, software composition analysis is what reads that inventory and tells you where the risk is.

Read → 9 min read

How to implement FOSSA: a setup and CI-gating checklist

Standing up software composition analysis is less about the scan and more about the gate. This walks the full path on a real repository: connect, read the first scan, set policy, and wire CI so a bad dependency cannot be merged. Every step here was run on this site.

Read →

These are the field notes behind the supply-chain work on this site. See the real SBOM scan or the FOSSA scan of this repository.