This repository contains a proof-of-concept (PoC) implementation for disclosing limited but verifiable SBOM (Software Bill of Materials) information to authorized users using cryptographic methods.
Supported methods:
- Merkle Trees (MT)
- Sparse Merkle Trees (SMT)
- Merkle Patricia Tries (MPT)
- Ordered Zero-Knowledge Sets (oZKS)
zkSBOM allows vendors to upload their product SBOMs, customers to retrieve commitments for specific SBOMs, and the system to generate cryptographic proofs confirming the presence of vulnerable dependencies. It also automatically performs regular dependency-to-vulnerability mapping updates.
zkSBOM Verifier validates the cryptographic proofs generated by zkSBOM.
Clone the repository:
git clone git@github.com:chains-project/zkSBOM.gitCopy and edit the zksbom configuration file:
cp zksbom/config/config_template.toml zksbom/config/config.tomlUpdate the configuration file with your GitHub Personal Access Token (PAT) under the github_token field.
This token is required to query the GitHub Advisory Database.
Copy and edit the zksbom-verifier configuration file:
cp zksbom-verifier/config/config_template.toml zksbom-verifier/config/config.tomlNavigate to the zksbom directory and build in release mode:
cd zksbom
cargo build --releaseAfter building, you can upload SBOMs:
target/release/zksbom upload_sbom --api-key <api key> --sbom "<path to sbom>"- The system generates commitments using all cryptographic methods.
- The
--api-keyparameter is mandatory but not validated in this PoC.
Note
To use oZKS, you must start its server manually:
zksbom/src/method/ozks/ozks-server.exeThis executable is built from the oZKS submodule at zksbom/src/method/ozks/dev.
Currently, oZKS support is non-persistent and only works for target_arch = "x86_64" (tested on Windows 11).
Fetch a commitment for an uploaded SBOM:
target/release/zksbom get_commitment \
--vendor "<vendor>" \
--product "<product>" \
--version "<version>" \
--method "<method>"vendor: Vendor of the SBOMproduct: Product nameversion: Product versionmethod: Cryptographic method
Note
Supported cryptographic methods:
merkle-treesparse-merkle-treemerkle-patricia-trieozks
Before generating proofs, update the dependency–vulnerability mapping:
target/release/zksbom map_vulnerabilitiesIn a production system, this process should run regularly (e.g., every 6 hours).
Important
If no vulnerabilities are found when expected, verify that your GitHub PAT is correctly configured in the configuration file.
You can generate a proof in two ways:
Using a commitment:
target/release/zksbom get_zkp \
--api-key <api key> \
--method "<method>" \
--commitment "<commitment>" \
--vulnerability "<CVE>"Using vendor/product/version:
target/release/zksbom get_zkp_full \
--api-key <api key> \
--method "<method>" \
--vendor "<vendor>" \
--product "<product>" \
--version "<version>" \
--vulnerability "<CVE>"api-key: Currenlty unchecked api-keymethod: Cryptographic methodcommitment: Commitmentvulnerability: CVE
Tip
Detailed examples are available in the zksbom README.
Navigate to the zksbom=verifier directory and build in release mode:
cd zksbom-verifier
cargo build --releaseVerify whether a specific vulnerability exists in the SBOM:
target/release/zksbom-verifier verify \
--method "<method>" \
--commitment "<commitment>" \
--proof_path "<proof path>"method: Cryptographic method usedcommitment: Commitment representing the SBOMproof_path: Path to the proof file
Tip
Detailed examples are available in the zksbom-verifier README.