Buiding Browser-Based SBOM Visualizer

# devops# docker# software# javascript
Buiding Browser-Based SBOM VisualizerJake C

Software Bills of Materials are becoming increasingly important, but inspecting one is not always a...

Software Bills of Materials are becoming increasingly important, but inspecting one is not always a pleasant experience.

An SPDX file can contain a large collection of packages, files, identifiers and relationships. Opening the raw JSON works, but it can be difficult to understand how everything connects—especially when you are reviewing an unfamiliar SBOM or trying to debug generated output.

So I built a free tool to make that process easier:

https://tools.puffinnest.com/

What it does

The PuffinNest SBOM Visualizer lets you load an SPDX JSON or JSON-LD file and inspect it in two different ways:

  • A collapsible JSON tree for exploring the underlying document
  • An interactive graph for examining SPDX entities and relationships

You can pan around the graph, zoom in and out, and expand or collapse object and array nodes while exploring the document.

Your SBOM stays in your browser

SBOMs can contain information you may not want to upload to an unknown service, including package names, internal components and details about how a system is assembled.

For that reason, the visualizer processes the file locally in your browser. Your SBOM is not sent to a server for analysis.

You select a local SPDX file, the browser parses it, and the visualization is rendered on your device.

Why I built it

I’m working on PuffinNest, a container registry for teams that will include vulnerability scanning and automatic SBOM generation.

While working in this area, I wanted a quick way to inspect generated SPDX documents without repeatedly searching through raw JSON or uploading them to a third-party service.

The visualizer started as a practical internal tool, but it seemed useful enough to release publicly.

It is free to use and does not require an account.

Try it

You can use the tool here:

https://tools.puffinnest.com/

At the moment, it supports SPDX JSON and JSON-LD files.

I’d be interested to hear:

  • What types of SBOMs are you working with?
  • Which formats should the tool support next?
  • What would make the graph more useful during debugging or security reviews?

Feedback and problematic sample structures are particularly welcome.