Deutsche Bahn's Approach to Large-Scale SBOM Collection and Use

500,000 SBOMs -- that's the scale of Deutsche Bahn's software supply chain. We will show how we extend our automated collection of Source, Build, Artifact, and Runtime SBOMs from both internal systems and external suppliers, and how we make this data usable. Doing this, we understand that SBOMs are not a tool by themselves but a supporting method for various use-cases. To facilitate them, we heavily rely on FOSS tools, enriched with own logic to fit into our enterprise architecture. You love diagrams? We have them!

But tools and clever ideas aren't enough. We need people to integrate them into pipelines and continuously monitor the quality of the resulting SBOMs and derived findings. We depend on cooperation from operators of related internal services. And we also need support from our governance stakeholders. Join this session to hear about our journey, where we stand today, and what lies ahead.

Note: This talk is a follow-up to the session Software Supply Chain Strategy at Deutsche Bahn that puts an emphasis on the overall strategy and organizational implementation.