Cybersecurity

Petra: SBOMs Without Oversharing for Confidential Supply Chain... Eman Abu Ishgair & Marcela Melara

OpenSSF
OpenSSFJun 3, 2026

Why It Matters

Petra makes confidential, verifiable SBOM sharing practical, unlocking wider adoption and improving supply‑chain risk management.

Key Takeaways

  • SBOM adoption stalls at 21% due to confidentiality and integration hurdles.
  • Petra enables selective disclosure of SBOM data via policy‑based encryption.
  • Uses Sigstore OIDC attributes for fine‑grained access control and key management.
  • Demonstrated end‑to‑end pipeline: tree representation, hashing, CP‑ABE encryption, verification.
  • Open‑source project aims to balance supply‑chain transparency with IP protection.

Summary

The presentation introduced Petra, a system designed to enable trustworthy and confidential exchange of Software Bill of Materials (SBOMs). The speakers highlighted the "SBOM paradox": while SBOMs are essential for compliance, auditing, and supply‑chain security, only about 21% of organizations use them because confidentiality, integration costs, and lack of verifiable redistribution hinder adoption.

Petra addresses four critical gaps identified in existing SBOM tools: integration effort, confidentiality, automated redistribution, and fine‑grained access control. By employing policy‑based encryption, selective disclosure, and verifiable reduction, Petra binds access control to individual SBOM nodes rather than the whole document, ensuring both transparency and IP protection.

The demo showcased an end‑to‑end pipeline: SBOMs are modeled as trees, hashed for integrity, encrypted with CP‑ABE keys derived from Sigstore OIDC attributes, and wrapped in Merkle proofs for membership verification. Consumers with appropriate attributes—such as security auditor status—can decrypt only the permitted nodes, and signatures confirm the integrity of both plaintext and redacted versions.

By providing an open‑source, interoperable framework, Petra could lower the barrier to SBOM redistribution across complex supply chains, encouraging broader adoption and strengthening software‑supply‑chain security for enterprises and government agencies alike.

Original Description

Petra: SBOMs Without Oversharing for Confidential Supply Chain Transparency - Eman Abu Ishgair, Purdue University & Marcela Melara, Intel Corporation
Software Bills of Materials are central to improving transparency and trust in modern software supply chains. However, organizations often hesitate to share complete SBOMs due to intellectual property or security concerns. This challenge is amplified in multi-tier supply chains, where SBOMs are routinely redistributed across vendors.
We present Petra, a system that enables confidential and policy-bounded SBOM exchange without sacrificing verifiability.
Petra allows producers to selectively encrypt sensitive SBOM metadata while preserving structural integrity and enabling authorized consumers to search redacted SBOMs for answers to specific security questions without revealing information they are not authorized to access. Importantly, Petra supports controlled redistribution: SBOMs can be shared across organizational boundaries while cryptographically enforcing downstream access restrictions.
We discuss selective disclosure for real-world SPDX and CycloneDX SBOMs, cryptographically verifiable redactions, and practical deployment considerations. Through a demo, attendees will see how Petra enables secure SBOM sharing that supports transparency and compliance without oversharing.

Comments

Want to join the conversation?

Loading comments...