Petra: SBOMs Without Oversharing for Confidential Supply Chain... Eman Abu Ishgair & Marcela Melara

Petra: SBOMs Without Oversharing for Confidential Supply Chain Transparency - Eman Abu Ishgair, Purdue University & Marcela Melara, Intel Corporation Software Bills of Materials are central to improving transparency and trust in modern software supply chains. However, organizations often hesitate to share complete SBOMs due to intellectual property or security concerns. This challenge is amplified in multi-tier supply chains, where SBOMs are routinely redistributed across vendors. We present Petra, a system that enables confidential and policy-bounded SBOM exchange without sacrificing verifiability. Petra allows producers to selectively encrypt sensitive SBOM metadata while preserving structural integrity and enabling authorized consumers to search redacted SBOMs for answers to specific security questions without revealing information they are not authorized to access. Importantly, Petra supports controlled redistribution: SBOMs can be shared across organizational boundaries while cryptographically enforcing downstream access restrictions. We discuss selective disclosure for real-world SPDX and CycloneDX SBOMs, cryptographically verifiable redactions, and practical deployment considerations. Through a demo, attendees will see how Petra enables secure SBOM sharing that supports transparency and compliance without oversharing.