This work addresses the tension between SBOM transparency and the protection of confidential metadata (e.g., intellectual property, vulnerability details). To resolve this, we propose Petra—a format-agnostic, cryptographically verifiable SBOM representation model enabling vendors to selectively encrypt sensitive fields while allowing consumers to efficiently query critical security attributes without decrypting the entire SBOM. Petra innovatively integrates redacted SBOM representations, lightweight integrity proofs, and searchable encryption to achieve trusted, interoperable SBOM distribution and auditability. Our prototype evaluation demonstrates that each SBOM incurs less than 1 KB of storage overhead, and decryption overhead during querying accounts for at most 1% of total query latency—achieving a strong balance among security, performance, and resource efficiency.

Software Bills of Materials (SBOMs) have become a regulatory requirement for improving software supply chain security and trust by means of transparency regarding components that make up software artifacts. However, enterprise and regulated software vendors commonly wish to restrict who can view confidential software metadata recorded in their SBOMs due to intellectual property or security vulnerability information. To address this tension between transparency and confidentiality, we propose Petra, an SBOM exchange system that empowers software vendors to interoperably compose and distribute redacted SBOM data using selective encryption. Petra enables software consumers to search redacted SBOMs for answers to specific security questions without revealing information they are not authorized to access. Petra leverages a format-agnostic, tamper-evident SBOM representation to generate efficient and confidentiality-preserving integrity proofs, allowing interested parties to cryptographically audit and establish trust in redacted SBOMs. Exchanging redacted SBOMs in our Petra prototype requires less than 1 extra KB per SBOM, and SBOM decryption account for at most 1% of the performance overhead during an SBOM query.