This work addresses the challenge of sensitive information leakage in Software Bill of Materials (SBOM) sharing, which hinders transparent disclosure by organizations. To overcome this, the paper proposes the first verifiable SBOM selective disclosure framework that does not rely on trust in the publisher, leveraging zero-knowledge proofs to enable privacy-preserving verification of dependency authenticity and compliance. The framework integrates scalable vector commitments with folding-based proof aggregation to generate succinct and efficient zero-knowledge proofs. Experimental evaluation demonstrates that the approach efficiently supports private, verifiable, and scalable SBOM sharing on real-world package registries.

A Software Bill of Materials (SBOM) is a key component for the transparency of software supply chain; it is a structured inventory of the components, dependencies, and associated metadata of a software artifact. However, an SBOM often contain sensitive information that organizations are unwilling to disclose in full to anyone, for two main concerns: technological risks deriving from exposing proprietary dependencies or unpatched vulnerabilities, and business risks, deriving from exposing architectural strategies. Therefore, delivering a plaintext SBOM may result in the disruption of the intellectual property of a company. To address this, we present VeriSBOM, a trustless, selectively disclosed SBOM framework that provides cryptographic verifiability of SBOMs using zero-knowledge proofs. Within VeriSBOM, third parties can validate specific statements about a delivered software. Respectively, VeriSBOM allows independent third parties to verify if a software contains authentic dependencies distributed by official package managers and that the same dependencies satisfy rigorous policy constraints such as the absence of vulnerable dependencies or the adherence with specific licenses models. VeriSBOM leverages a scalable vector commitment scheme together with folding-based proof aggregation to produce succinct zero-knowledge proofs that attest to security and compliance properties while preserving confidentiality. Crucially, the verification process requires no trust in the SBOM publisher beyond the soundness of the underlying primitives, and third parties can independently check proofs against the public cryptographic commitments. We implement VeriSBOM, analyze its security, and evaluate its performance on real-world package registries. The results show that our method enables scalable, privacy-preserving, and verifiable SBOM sharing and validation.