Cloudflare Cowboy The SBOM scan →

Software supply chain and open-source licensing

Plain-English explainers on SBOMs, open-source licenses, copyleft, and the regulations driving software supply-chain transparency. The field notes behind the supply-chain work on this site.

The supply-chain pillar of the knowledge base, tied to the real SBOM scan of this site.

6 min read

What is an SBOM?

A Software Bill of Materials is a complete, machine-readable inventory of everything your software is built from. Here is what that means, what goes in one, and why it has become a requirement rather than a nice-to-have.

Read → 7 min read

Permissive vs copyleft licenses

Every open-source license falls on a spectrum from permissive to copyleft. Knowing which is which, and what each obligates you to do, is the core of open-source license compliance.

Read → 5 min read

SPDX vs CycloneDX

If you are producing an SBOM, you will produce it in one of two formats: SPDX or CycloneDX. Here is where each came from, what each is good at, and how to choose.

Read → 7 min read

Who needs an SBOM? The regulations driving demand

A few years ago an SBOM was a nice-to-have. Now it is a procurement requirement in several major markets. Here is who is mandating them and when.

Read → 6 min read

What is copyleft (and why it matters)?

Copyleft is the idea that turned open source into a movement. It is also the single licensing concept most likely to surprise a business that did not know it was there.

Read → 6 min read

What does "no AGPL" really mean?

If you have seen a "no AGPL" rule in a company policy and wondered why one license gets singled out, this explains exactly what it does, and what it does not.

Read → 6 min read

What is software composition analysis (SCA)?

If an SBOM is the inventory of what your software is made of, software composition analysis is what reads that inventory and tells you where the risk is.

Read → 7 min read

The SBOM lifecycle: before and after the document

Most coverage of SBOMs stops at "here is how you generate one." Generating it is the cheap part. This walks the full lifecycle, because the value is on either side of the document.

Read → 9 min read

How to implement FOSSA: a setup and CI-gating checklist

Standing up software composition analysis is less about the scan and more about the gate. This walks the full path on a real repository: connect, read the first scan, set policy, and wire CI so a bad dependency cannot be merged. Every step here was run on this site.

Read →

New to this? Start with What is an SBOM? or see the real SBOM scan of this site.