I often can't get over how small the world actually is.

Earlier this year, I attended the Second Annual SBOM meetup after the first day of the RSA conference. The venue was at a little bar on Minna Street, tucked away underneath the skyscrapers of San Francisco.

The bar was filled with quite a few familiar faces and after grabbing a cold beer, a hand reached out through the crowd to shake mine. Standing in front of me was Ritesh Noronha.

I'd never met Ritesh before - or so I thought for a brief moment. He asked me if I had coded "bomber" - an open source project that scans for security vulnerabilities. He then explained that he had been following the project for a long time, and had commented on some of the issues in the project. It turns out we had met before - on GitHub.

The odds of meeting each other at an event in San Francisco seemed almost infinite, but here we were discussing SBOMs and Open Source.

It turns out that Ritesh and his business partner, Surendra Pathak had also been building incredible open source tools to work with SBOMs and during our discussion we all started to talk about Quality.

SBOM formats are notorious for being so flexible that any tool can potentially create one that could just be a collection of "NO ATTESTATION" values - and this potentially renders them semi-useless - but Ritesh and Surendra have been busy creating open source tools that provide an SBOM quality score.

Need to see if an SBOM conforms to the minimum requirements as specified by NTIA? Then you really understand that quality matters.

Welcome back to daBOM.