Software Bill of Materials (SBOM) serves as a critical pillar in ensuring software supply chain security by providing a detailed inventory of the components and dependencies integral to software development. However, challenges abound in the sharing of SBOMs, including potential data tampering, hesitation among software vendors to disclose comprehensive information, and bespoke requirements from software procurers or users. These obstacles have stifled widespread adoption and utilization of SBOMs, underscoring the need for a more secure and flexible mechanism for SBOM sharing. This study proposes a novel solution to these challenges by introducing a blockchain-empowered approach for SBOM sharing, leveraging verifiable credentials to allow for selective disclosure. This strategy not only heightens security but also offers flexibility. Furthermore, this paper broadens the remit of SBOM to encompass AI systems, thereby coining the term AI Bill of Materials (AIBOM). This extension is motivated by the rapid progression in AI technology and the escalating necessity to track the lineage and composition of AI software and systems. Particularly in the era of foundational models like large language models (LLMs), understanding their composition and dependencies becomes crucial. These models often serve as a base for further development, creating complex dependencies and paving the way for innovative AI applications. The evaluation of our solution indicates the feasibility and flexibility of the proposed SBOM sharing mechanism, positing a new solution for securing (AI) software supply chains.

翻译：软件物料清单（SBOM）作为确保软件供应链安全的关键支柱，通过提供软件开发中所用组件及依赖项的详细清单来发挥作用。然而，SBOM的共享面临诸多挑战，包括潜在的数据篡改、软件供应商对全面披露信息的顾虑，以及软件采购方或用户的定制化需求。这些障碍抑制了SBOM的广泛采用与应用，凸显了建立更安全、更灵活的SBOM共享机制的必要性。本研究针对上述问题提出了一种创新解决方案，通过引入区块链赋能的SBOM共享方法，利用可验证凭证实现选择性披露。该策略不仅增强了安全性，还提供了灵活性。此外，本文还将SBOM的范畴扩展至人工智能系统，从而提出了“人工智能物料清单”（AIBOM）这一术语。这一扩展源于人工智能技术的快速发展，以及追踪AI软件与系统组成及演变链路的日益迫切需求。特别是在大语言模型（LLM）等基础模型时代，理解其构成与依赖关系变得至关重要。这些模型常作为二次开发的基础，形成复杂依赖关系，为创新AI应用铺平道路。本方案的评估结果表明，所提出的SBOM共享机制具有可行性与灵活性，为保障（人工智能）软件供应链安全提供了新方案。