Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/chains-project/zksbom

zero knowledge SBOMs (thesis Tom Sorger)
https://github.com/chains-project/zksbom

Last synced: 3 months ago
JSON representation

zero knowledge SBOMs (thesis Tom Sorger)

Awesome Lists containing this project

README 

          
# Zero-Knowledge SBOM (zkSBOM)



This repository contains a proof-of-concept (PoC) implementation for disclosing limited but verifiable SBOM (Software Bill of Materials) information to authorized users using cryptographic methods.



Supported cryptographic methods:



- Merkle Trees (MT)

- Sparse Merkle Trees (SMT)

- Merkle Patricia Tries (MPT)

- Ordered Zero-Knowledge Sets (oZKS)



The project is divided into two tools

- [zkSBOM](./zksbom/)

  - Allows vendors to upload their product SBOMs, customers to retrieve commitments for specific SBOMs, and the system to generate cryptographic proofs confirming the presence of vulnerable dependencies.

  It also performs regular dependency-to-vulnerability mappings.



- [zkSBOM Verifier](./zksbom-verifier/)

  - Validates the cryptographic proofs generated by zkSBOM.



## Installation



```Bash

# Clone the repository

git clone git@github.com:chains-project/zkSBOM.git



# Initialize the submodules

git submodule update --init --recursive 

```



Follow the installation section in the corresponding README.md to install [zkSBOM](./zksbom/README.md#Installation) or [zkSBOM Verifier](./zksbom-verifier/README.md#Installation).



## Usage



See the usage guide in the corresponding README.md for [zkSBOM](./zksbom/README.md#Usage) or [zkSBOM Verifier](./zksbom-verifier/README.md#Usage).



## Citation



Sorger, T. (2025). Towards Zero-Knowledge Software Bill of Materials [Computer software]. https://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-369919



## License



MIT License



## Contact



[Tom Sorger](mailto:sorger@kth.se)