Jake CSoftware Bills of Materials are becoming increasingly important, but inspecting one is not always a...
Software Bills of Materials are becoming increasingly important, but inspecting one is not always a pleasant experience.
An SPDX file can contain a large collection of packages, files, identifiers and relationships. Opening the raw JSON works, but it can be difficult to understand how everything connects—especially when you are reviewing an unfamiliar SBOM or trying to debug generated output.
So I built a free tool to make that process easier:
The PuffinNest SBOM Visualizer lets you load an SPDX JSON or JSON-LD file and inspect it in two different ways:
You can pan around the graph, zoom in and out, and expand or collapse object and array nodes while exploring the document.
SBOMs can contain information you may not want to upload to an unknown service, including package names, internal components and details about how a system is assembled.
For that reason, the visualizer processes the file locally in your browser. Your SBOM is not sent to a server for analysis.
You select a local SPDX file, the browser parses it, and the visualization is rendered on your device.
I’m working on PuffinNest, a container registry for teams that will include vulnerability scanning and automatic SBOM generation.
While working in this area, I wanted a quick way to inspect generated SPDX documents without repeatedly searching through raw JSON or uploading them to a third-party service.
The visualizer started as a practical internal tool, but it seemed useful enough to release publicly.
It is free to use and does not require an account.
You can use the tool here:
At the moment, it supports SPDX JSON and JSON-LD files.
I’d be interested to hear:
Feedback and problematic sample structures are particularly welcome.