SBOMArchive — Historical SBOM Snapshots + Diff Over Time
18 SBOM snapshots (CycloneDX 1.6) over 18 months × 4 production services. Per snapshot: dependency count, license mix, new packages added, removed packages, version bumps, signed-attestation status. The audit-evidence trail EO 14028 + NIST SSDF require.
What it is
The temporal companion to SbomScanner. SBOMs aren’t snapshots — they’re histories. The diff between consecutive snapshots is what tells you whether a CVE was introduced this quarter or has been latent for 2 years.
What’s in it
- 18 snapshots × 4 services × 18 months
- Per snapshot: package count, added / removed / bumped, license mix, signature status
- Diff visualization: side-by-side added vs removed vs bumped
- Includes pre-CVE-fix snapshot of jsonwebtoken (CVE-2022-23529) so the timeline is provable
- Pre-Sigstore-adoption snapshot included as historical reference
Why this shape
EO 14028 (May 2021) requires SBOMs for federal-procurement software. NIST SSDF SP 800-218 demands the temporal archive. CycloneDX 1.6 + SPDX 2.3 are the standard formats. The audit question: “show me the SBOM at the moment of the breach” requires the archive.
How it ships
Single HTML file, ~14KB. Zero dependencies. 18 snapshots × per-snapshot diff renderer in 100 lines of vanilla JavaScript.