A retrospective on Google’s SBOM implementation

This talk takes a look back on how we designed our Google-wide SBOM solution, exploring the technical challenges and trade-offs Google encountered while implementing SBOMs at scale, and how those decisions have aged almost 2 years out! We delve into the intricacies of generating and managing 100Ms SBOMs (~4M SBOMs/wk), ranging from design decisions in SBOM generation, trade-offs between build and analysis SBOMs, to hurdles with finding SBOMs and associating them with products.. We will talk about how we are using SBOMs outside EO14028 compliance, and the challenges around SBOM data quality, accuracy and completeness we face (software identifiers, analysis mishaps, etc.).