Software Bill of Materials

What is it?

The Software Bill of Materials (SBOM) is an inventory of components used in building Synadia Platform. The SBOM provides transparency into software dependencies, including versions and licensing, and allows for easier compliance and vulnerability identification.

Each platform component publishes its SBOM in the SPDX format as a release asset in the linked repository. For a simpler view, each component below includes a table of all the dependencies for a build of the current release.

The tooling used to generate the SBOMs is sometimes over-inclusive, including dependencies only used for testing. The summaries here are generated via Go-aware tooling which includes fewer extra matches. We exclude Synadia Proprietary code from these summaries.

NATS

nats-io/nats-server

License	Dependencies
Apache-2.0	6 dependencies github.com/klauspost/compress github.com/minio/highwayhash github.com/nats-io/jwt github.com/nats-io/nats-server github.com/nats-io/nkeys github.com/nats-io/nuid
BSD-3-Clause	5 dependencies github.com/klauspost/compress github.com/nats-io/nats-server golang.org/x/crypto golang.org/x/sys golang.org/x/time
MIT	2 dependencies github.com/antithesishq/antithesis-sdk-go github.com/klauspost/compress

Control Plane

synadia-io/control-plane

License	Dependencies
Apache-2.0	109 dependencies cloud.google.com/go cuelang.org/go github.com/Masterminds/goutils github.com/aws/aws-sdk-go-v2 github.com/aws/smithy-go github.com/cockroachdb/apd github.com/cockroachdb/cockroach-go github.com/containerd/containerd github.com/containerd/continuity github.com/containerd/errdefs github.com/containerd/log github.com/containerd/platforms github.com/coreos/go-oidc github.com/dgraph-io/ristretto github.com/docker/cli github.com/docker/docker github.com/docker/go-connections github.com/docker/go-units github.com/go-ini/ini github.com/go-jose/go-jose github.com/go-logr/logr github.com/go-logr/stdr github.com/go-openapi/errors github.com/go-openapi/jsonpointer github.com/go-openapi/jsonreference github.com/go-openapi/strfmt github.com/go-openapi/swag github.com/golang/glog github.com/google/btree github.com/google/gnostic-models github.com/google/go-jsonnet github.com/google/go-tpm github.com/google/s2a-go github.com/google/shlex github.com/google/wire github.com/googleapis/enterprise-certificate-proxy github.com/grpc-ecosystem/go-grpc-prometheus github.com/jonboulle/clockwork github.com/klauspost/compress github.com/kylelemons/godebug github.com/minio/highwayhash github.com/moby/docker-image-spec github.com/moby/spdystream github.com/moby/term github.com/modern-go/concurrent github.com/modern-go/reflect2 github.com/nats-io/jsm.go github.com/nats-io/jwt github.com/nats-io/nats-server github.com/nats-io/nats-surveyor github.com/nats-io/nats.go github.com/nats-io/nkeys github.com/nats-io/nuid github.com/oklog/ulid github.com/open-policy-agent/opa github.com/opencontainers/go-digest github.com/opencontainers/image-spec github.com/opencontainers/runc github.com/openzipkin/zipkin-go github.com/ory/dockertest github.com/ory/herodot github.com/ory/hydra-client-go github.com/ory/kratos github.com/ory/kratos-client-go github.com/ory/x github.com/pelletier/go-toml github.com/petermattis/goid github.com/pquerna/otp github.com/prometheus/client_golang github.com/prometheus/client_model github.com/prometheus/common github.com/prometheus/procfs github.com/santhosh-tekuri/jsonschema github.com/sasha-s/go-deadlock github.com/sethvargo/go-retry github.com/spf13/cobra github.com/xeipuuv/gojsonpointer github.com/xeipuuv/gojsonreference github.com/xeipuuv/gojsonschema github.com/yashtewari/glob-intersection github.com/zmb3/spotify go.mongodb.org/mongo-driver go.opentelemetry.io/auto go.opentelemetry.io/contrib go.opentelemetry.io/otel go.opentelemetry.io/proto go.yaml.in/yaml/v2 gocloud.dev google.golang.org/genproto google.golang.org/grpc gopkg.in/yaml.v2 helm.sh/helm/v3 k8s.io/api k8s.io/apiextensions-apiserver k8s.io/apimachinery k8s.io/apiserver k8s.io/cli-runtime k8s.io/client-go k8s.io/component-base k8s.io/klog k8s.io/kube-openapi k8s.io/kubectl k8s.io/utils oras.land/oras-go/v2 sigs.k8s.io/json sigs.k8s.io/kustomize sigs.k8s.io/randfill sigs.k8s.io/structured-merge-diff sigs.k8s.io/yaml
BSD-2-Clause	12 dependencies github.com/Nvveen/Gotty github.com/go-webauthn/x github.com/gobuffalo/github_flavored_markdown github.com/gorilla/websocket github.com/ory/dockertest github.com/pkg/browser github.com/pkg/errors github.com/rcrowley/go-metrics github.com/russross/blackfriday github.com/slack-go/slack github.com/volatiletech/null github.com/zeebo/xxh3
BSD-3-Clause	72 dependencies dario.cat/mergo filippo.io/edwards25519 github.com/arbovm/levenshtein github.com/aws/aws-sdk-go-v2 github.com/aws/smithy-go github.com/bwmarrin/discordgo github.com/chai2010/gettext-go github.com/cyphar/filepath-securejoin github.com/ericlagergren/decimal github.com/evanphx/json-patch github.com/fsnotify/fsnotify github.com/go-crypt/x github.com/go-jose/go-jose github.com/go-json-experiment/json github.com/go-webauthn/webauthn github.com/gogo/protobuf github.com/golang/gddo github.com/golang/protobuf github.com/google/go-github github.com/google/go-querystring github.com/google/uuid github.com/googleapis/gax-go github.com/gorilla/css github.com/gorilla/securecookie github.com/gorilla/sessions github.com/grpc-ecosystem/grpc-gateway github.com/hashicorp/golang-lru github.com/inhies/go-bytesize github.com/julienschmidt/httprouter github.com/klauspost/compress github.com/liggitt/tabwriter github.com/microcosm-cc/bluemonday github.com/munnerz/goautoneg github.com/mxk/go-flowrate github.com/nats-io/nats-server github.com/open-policy-agent/opa github.com/ory/jsonschema github.com/phayes/freeport github.com/pmezard/go-difflib github.com/prometheus/client_golang github.com/rogpeppe/go-internal github.com/seatgeek/logrus-gelf-formatter github.com/sourcegraph/annotate github.com/sourcegraph/syntaxhighlight github.com/spf13/pflag github.com/ulikunitz/xz github.com/volatiletech/randomize github.com/volatiletech/sqlboiler github.com/volatiletech/strmangle go.opentelemetry.io/contrib go.opentelemetry.io/otel golang.org/x/crypto golang.org/x/exp golang.org/x/mod golang.org/x/net golang.org/x/oauth2 golang.org/x/sync golang.org/x/sys golang.org/x/term golang.org/x/text golang.org/x/time golang.org/x/xerrors google.golang.org/api google.golang.org/protobuf gopkg.in/evanphx/json-patch.v4 gopkg.in/inf.v0 k8s.io/apimachinery k8s.io/client-go k8s.io/kube-openapi k8s.io/utils sigs.k8s.io/json sigs.k8s.io/yaml
CC0-1.0	1 dependency github.com/gtank/cryptopasta
GNU-All-permissive-Copying-License	1 dependency go.opentelemetry.io/otel
ISC	1 dependency github.com/davecgh/go-spew
MIT	141 dependencies code.dny.dev/ssrf github.com/Azure/azure-sdk-for-go github.com/AzureAD/microsoft-authentication-library-for-go github.com/BurntSushi/toml github.com/MakeNowJust/heredoc github.com/Masterminds/semver github.com/Masterminds/sprig github.com/Masterminds/squirrel github.com/agnivade/levenshtein github.com/antithesishq/antithesis-sdk-go github.com/antonfisher/nested-logrus-formatter github.com/asaskevich/govalidator github.com/avast/retry-go github.com/aymerick/douceur github.com/beorn7/perks github.com/blang/semver github.com/boombuler/barcode github.com/cenkalti/backoff github.com/cespare/xxhash github.com/choria-io/fisk github.com/clipperhouse/stringish github.com/clipperhouse/uax29 github.com/dghubble/oauth1 github.com/dgraph-io/ristretto github.com/dustin/go-humanize github.com/emicklei/go-restful github.com/exponent-io/jsonpath github.com/expr-lang/expr github.com/fatih/color github.com/fatih/structs github.com/felixge/httpsnoop github.com/friendsofgo/errors github.com/fxamacker/cbor github.com/gabriel-vasile/mimetype github.com/go-chi/chi github.com/go-chi/httprate github.com/go-co-op/gocron github.com/go-crypt/crypt github.com/go-errors/errors github.com/go-faker/faker github.com/go-gorp/gorp github.com/go-playground/locales github.com/go-playground/universal-translator github.com/go-playground/validator github.com/go-viper/mapstructure github.com/gobuffalo/envy github.com/gobuffalo/fizz github.com/gobuffalo/flect github.com/gobuffalo/github_flavored_markdown github.com/gobuffalo/helpers github.com/gobuffalo/nulls github.com/gobuffalo/plush github.com/gobuffalo/pop github.com/gobuffalo/tags github.com/gobuffalo/validate github.com/gobwas/glob github.com/goccy/go-yaml github.com/gofrs/uuid github.com/golang-jwt/jwt github.com/gosuri/uitable github.com/gregjones/httpcache github.com/huandu/xstrings github.com/jackc/chunkreader github.com/jackc/pgconn github.com/jackc/pgio github.com/jackc/pgpassfile github.com/jackc/pgproto3 github.com/jackc/pgservicefile github.com/jackc/pgtype github.com/jackc/pgx github.com/jackc/puddle github.com/jedib0t/go-pretty github.com/jellydator/ttlcache github.com/jmoiron/sqlx github.com/joho/godotenv github.com/josharian/intern github.com/json-iterator/go github.com/kballard/go-shellquote github.com/klauspost/compress github.com/klauspost/cpuid github.com/knadh/koanf github.com/laher/mergefs github.com/lann/builder github.com/lann/ps github.com/leodido/go-urn github.com/lestrrat-go/backoff github.com/lestrrat-go/blackmagic github.com/lestrrat-go/httpcc github.com/lestrrat-go/httprc github.com/lestrrat-go/iter github.com/lestrrat-go/jwx github.com/lestrrat-go/option github.com/lib/pq github.com/luna-duclos/instrumentedsql github.com/mailru/easyjson github.com/mattn/go-colorable github.com/mattn/go-isatty github.com/mattn/go-runewidth github.com/mfridman/interpolate github.com/mitchellh/copystructure github.com/mitchellh/go-wordwrap github.com/mitchellh/mapstructure github.com/mitchellh/reflectwalk github.com/mohae/deepcopy github.com/monochromegane/go-gitignore github.com/nyaruka/phonenumbers github.com/ory/mail github.com/ory/nosurf github.com/ory/x github.com/pelletier/go-toml github.com/peterbourgon/diskv github.com/peterhellberg/link github.com/pressly/goose github.com/robfig/cron github.com/rs/cors github.com/rubenv/sql-migrate github.com/samber/lo github.com/segmentio/ksuid github.com/sergi/go-diff github.com/shopspring/decimal github.com/sirupsen/logrus github.com/spf13/cast github.com/sqlc-dev/pqtype github.com/stretchr/testify github.com/tchap/go-patricia github.com/tidwall/gjson github.com/tidwall/match github.com/tidwall/pretty github.com/tidwall/sjson github.com/urfave/negroni github.com/valyala/fastjson github.com/vektah/gqlparser github.com/volatiletech/inflect github.com/wI2L/jsondiff github.com/x448/float16 github.com/xlab/treeprint go.uber.org/multierr go.yaml.in/yaml/v3 gopkg.in/natefinch/lumberjack.v2 gopkg.in/yaml.v3 sigs.k8s.io/yaml
MPL-2.0	7 dependencies github.com/cyphar/filepath-securejoin github.com/go-sql-driver/mysql github.com/hashicorp/errwrap github.com/hashicorp/go-cleanhttp github.com/hashicorp/go-multierror github.com/hashicorp/go-retryablehttp github.com/hashicorp/golang-lru
Unlicense	1 dependency github.com/akamensky/base58

Private Link

synadia-io/private-link

No external dependencies.

HTTP Gateway

synadia-io/http-gateway

License	Dependencies
Apache-2.0	13 dependencies github.com/klauspost/compress github.com/minio/highwayhash github.com/nats-io/jsm.go github.com/nats-io/jwt github.com/nats-io/nats-server github.com/nats-io/nats.go github.com/nats-io/nkeys github.com/nats-io/nuid github.com/prometheus/client_golang github.com/prometheus/client_model github.com/prometheus/common github.com/prometheus/procfs go.yaml.in/yaml/v2
BSD-2-Clause	1 dependency github.com/bits-and-blooms/bloom
BSD-3-Clause	12 dependencies github.com/bits-and-blooms/bitset github.com/klauspost/compress github.com/munnerz/goautoneg github.com/nats-io/nats-server github.com/prometheus/client_golang golang.org/x/crypto golang.org/x/net golang.org/x/sys golang.org/x/term golang.org/x/text golang.org/x/time google.golang.org/protobuf
MIT	24 dependencies github.com/AlecAivazis/survey github.com/antithesishq/antithesis-sdk-go github.com/beorn7/perks github.com/cespare/xxhash github.com/choria-io/fisk github.com/clipperhouse/uax29 github.com/dustin/go-humanize github.com/expr-lang/expr github.com/go-chi/chi github.com/go-chi/cors github.com/jedib0t/go-pretty github.com/kballard/go-shellquote github.com/klauspost/compress github.com/mattn/go-colorable github.com/mattn/go-isatty github.com/mattn/go-runewidth github.com/mgutz/ansi github.com/quic-go/qpack github.com/quic-go/quic-go github.com/tidwall/gjson github.com/tidwall/match github.com/tidwall/pretty github.com/tidwall/sjson gopkg.in/yaml.v3
Unlicense	1 dependency github.com/akamensky/base58

Workloads

synadia-io/nex-ce

License	Dependencies
Apache-2.0	16 dependencies github.com/goombaio/namegenerator github.com/klauspost/compress github.com/minio/highwayhash github.com/nats-io/jsm.go github.com/nats-io/jwt github.com/nats-io/nats-server github.com/nats-io/nats.go github.com/nats-io/nkeys github.com/nats-io/nuid github.com/prometheus/client_golang github.com/prometheus/client_model github.com/prometheus/common github.com/prometheus/procfs github.com/santhosh-tekuri/jsonschema github.com/synadia-io/orbit.go go.yaml.in/yaml/v2
BSD-3-Clause	14 dependencies github.com/atotto/clipboard github.com/klauspost/compress github.com/munnerz/goautoneg github.com/nats-io/nats-server github.com/prometheus/client_golang golang.org/x/crypto golang.org/x/mod golang.org/x/net golang.org/x/sync golang.org/x/sys golang.org/x/term golang.org/x/text golang.org/x/time google.golang.org/protobuf
MIT	28 dependencies disorder.dev/shandler github.com/alecthomas/kong github.com/antithesishq/antithesis-sdk-go github.com/aymanbagabas/go-osc52 github.com/beorn7/perks github.com/catppuccin/go github.com/cespare/xxhash github.com/charmbracelet/bubbles github.com/charmbracelet/bubbletea github.com/charmbracelet/colorprofile github.com/charmbracelet/huh github.com/charmbracelet/lipgloss github.com/charmbracelet/x github.com/clipperhouse/displaywidth github.com/clipperhouse/uax29 github.com/dustin/go-humanize github.com/expr-lang/expr github.com/klauspost/compress github.com/lucasb-eyer/go-colorful github.com/mattn/go-isatty github.com/mattn/go-runewidth github.com/mitchellh/hashstructure github.com/muesli/ansi github.com/muesli/cancelreader github.com/muesli/termenv github.com/rivo/uniseg github.com/xo/terminfo gopkg.in/yaml.v3

Connectors

synadia-io/connect-node

License	Dependencies
Apache-2.0	20 dependencies github.com/go-git/go-billy github.com/go-git/go-git github.com/golang/groupcache github.com/klauspost/compress github.com/minio/highwayhash github.com/nats-io/jsm.go github.com/nats-io/jwt github.com/nats-io/nats-server github.com/nats-io/nats.go github.com/nats-io/nkeys github.com/nats-io/nuid github.com/pjbgf/sha1cd github.com/prometheus/client_golang github.com/prometheus/client_model github.com/prometheus/common github.com/prometheus/procfs github.com/santhosh-tekuri/jsonschema github.com/skeema/knownhosts github.com/synadia-io/orbit.go github.com/xanzy/ssh-agent
BSD-2-Clause	2 dependencies github.com/emirpasic/gods gopkg.in/warnings.v0
BSD-3-Clause	17 dependencies dario.cat/mergo github.com/ProtonMail/go-crypto github.com/cloudflare/circl github.com/cyphar/filepath-securejoin github.com/evanphx/json-patch github.com/go-git/gcfg github.com/klauspost/compress github.com/munnerz/goautoneg github.com/nats-io/nats-server github.com/prometheus/client_golang golang.org/x/crypto golang.org/x/net golang.org/x/sys golang.org/x/term golang.org/x/text golang.org/x/time google.golang.org/protobuf
ISC	1 dependency github.com/emirpasic/gods
MIT	24 dependencies disorder.dev/shandler github.com/aymanbagabas/go-osc52 github.com/beorn7/perks github.com/cespare/xxhash github.com/charmbracelet/colorprofile github.com/charmbracelet/lipgloss github.com/charmbracelet/x github.com/choria-io/fisk github.com/dustin/go-humanize github.com/expr-lang/expr github.com/jbenet/go-context github.com/kevinburke/ssh_config github.com/klauspost/compress github.com/lucasb-eyer/go-colorful github.com/mattn/go-colorable github.com/mattn/go-isatty github.com/mattn/go-runewidth github.com/muesli/termenv github.com/rivo/uniseg github.com/rs/xid github.com/rs/zerolog github.com/sergi/go-diff github.com/xo/terminfo gopkg.in/yaml.v3

synadia-io/connect-runtime-wombat

License	Dependencies
Apache-2.0	115 dependencies buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go/buf/validate buf.build/gen/go/bufbuild/reflect/connectrpc/go/buf/reflect/v1beta1/reflectv1beta1connect buf.build/gen/go/bufbuild/reflect/protocolbuffers/go/buf/reflect/v1beta1 cel.dev/expr cloud.google.com/go connectrpc.com/connect cuelang.org/go github.com/AthenZ/athenz github.com/GoogleCloudPlatform/opentelemetry-operations-go github.com/Jeffail/grok github.com/OneOfOne/xxhash github.com/apache/arrow github.com/apache/arrow-go github.com/apache/pulsar-client-go github.com/apache/thrift github.com/ardielle/ardielle-go github.com/authzed/authzed-go github.com/authzed/grpcutil github.com/aws/aws-lambda-go github.com/aws/aws-sdk-go-v2 github.com/aws/smithy-go github.com/bradfitz/gomemcache github.com/bufbuild/protocompile github.com/bufbuild/prototransform github.com/cncf/xds github.com/cockroachdb/apd github.com/couchbase/gocb github.com/couchbase/gocbcore github.com/couchbase/gocbcoreps github.com/couchbase/goprotostellar github.com/couchbaselabs/gocbconnstr github.com/dgraph-io/ristretto github.com/elastic/elastic-transport-go github.com/elastic/go-elasticsearch github.com/envoyproxy/go-control-plane github.com/envoyproxy/protoc-gen-validate github.com/go-git/go-billy github.com/go-git/go-git github.com/go-jose/go-jose github.com/go-logr/logr github.com/go-logr/stdr github.com/gocql/gocql github.com/golang/groupcache github.com/google/flatbuffers github.com/google/martian github.com/google/pprof github.com/google/s2a-go github.com/google/shlex github.com/googleapis/enterprise-certificate-proxy github.com/gosimple/unidecode github.com/grpc-ecosystem/go-grpc-middleware github.com/jcmturner/aescts github.com/jcmturner/dnsutils github.com/jcmturner/gokrb5 github.com/jcmturner/rpc github.com/jhump/protoreflect github.com/jmespath/go-jmespath github.com/jzelinskie/stringz github.com/klauspost/compress github.com/kylelemons/godebug github.com/linkedin/goavro github.com/modern-go/concurrent github.com/modern-go/reflect2 github.com/nats-io/nats.go github.com/nats-io/nkeys github.com/nats-io/nuid github.com/nats-io/stan.go github.com/neo4j/neo4j-go-driver github.com/oapi-codegen/runtime github.com/oklog/ulid github.com/opensearch-project/opensearch-go github.com/parquet-go/parquet-go github.com/pinecone-io/go-pinecone github.com/pjbgf/sha1cd github.com/prometheus/client_golang github.com/prometheus/client_model github.com/prometheus/common github.com/prometheus/procfs github.com/qdrant/go-client github.com/questdb/go-questdb-client github.com/redpanda-data/connect github.com/skeema/knownhosts github.com/snowflakedb/gosnowflake github.com/spiffe/go-spiffe github.com/tetratelabs/wazero github.com/theparanoids/crypki github.com/timeplus-io/proton-go-driver github.com/xanzy/ssh-agent github.com/xdg-go/pbkdf2 github.com/xdg-go/scram github.com/xdg-go/stringprep github.com/xeipuuv/gojsonpointer github.com/xeipuuv/gojsonreference github.com/xeipuuv/gojsonschema github.com/xitongsys/parquet-go github.com/xitongsys/parquet-go-source go.mongodb.org/mongo-driver go.mongodb.org/mongo-driver/v2 go.nanomsg.org/mangos/v3 go.opencensus.io go.opentelemetry.io/auto go.opentelemetry.io/contrib go.opentelemetry.io/otel go.opentelemetry.io/proto go.yaml.in/yaml/v2 google.golang.org/genai google.golang.org/genproto google.golang.org/grpc k8s.io/apimachinery k8s.io/client-go k8s.io/klog k8s.io/utils sigs.k8s.io/json sigs.k8s.io/randfill sigs.k8s.io/structured-merge-diff
BSD-2-Clause	22 dependencies github.com/apache/arrow github.com/bwmarrin/snowflake github.com/emirpasic/gods github.com/go-sourcemap/sourcemap github.com/godbus/dbus github.com/gorilla/websocket github.com/pkg/browser github.com/pkg/errors github.com/pkg/sftp github.com/rabbitmq/amqp091-go github.com/rcrowley/go-metrics github.com/redis/go-redis github.com/russross/blackfriday github.com/vmihailenco/msgpack github.com/vmihailenco/tagparser github.com/zeebo/xxh3 gitlab.com/golang-commonmark/html gitlab.com/golang-commonmark/linkify gitlab.com/golang-commonmark/markdown gitlab.com/golang-commonmark/mdurl gitlab.com/golang-commonmark/puny gopkg.in/warnings.v0
BSD-3-Clause	63 dependencies dario.cat/mergo github.com/DataDog/zstd github.com/PaesslerAG/gval github.com/PaesslerAG/jsonpath github.com/ProtonMail/go-crypto github.com/apache/arrow github.com/apache/arrow-go github.com/apache/thrift github.com/aws/aws-sdk-go-v2 github.com/aws/smithy-go github.com/bits-and-blooms/bitset github.com/bwmarrin/discordgo github.com/cloudflare/circl github.com/cyphar/filepath-securejoin github.com/dop251/goja github.com/fsnotify/fsnotify github.com/generikvault/gvalstrings github.com/go-git/gcfg github.com/go-jose/go-jose github.com/go-zeromq/zmq4 github.com/gogo/protobuf github.com/golang/protobuf github.com/golang/snappy github.com/google/go-cmp github.com/google/uuid github.com/googleapis/gax-go github.com/gorilla/css github.com/gorilla/handlers github.com/gorilla/mux github.com/grpc-ecosystem/grpc-gateway github.com/hashicorp/golang-lru github.com/jcmturner/gofork github.com/klauspost/compress github.com/kr/fs github.com/microcosm-cc/bluemonday github.com/munnerz/goautoneg github.com/pierrec/lz4 github.com/planetscale/vtprotobuf github.com/pmezard/go-difflib github.com/prometheus/client_golang github.com/rickb777/period github.com/rickb777/plural github.com/spaolacci/murmur3 github.com/twmb/franz-go go.opentelemetry.io/contrib go.opentelemetry.io/otel golang.org/x/crypto golang.org/x/exp golang.org/x/mod golang.org/x/net golang.org/x/oauth2 golang.org/x/sync golang.org/x/sys golang.org/x/term golang.org/x/text golang.org/x/time golang.org/x/xerrors google.golang.org/api google.golang.org/protobuf gopkg.in/inf.v0 k8s.io/apimachinery k8s.io/utils sigs.k8s.io/json
BSL-1.0	1 dependency github.com/apache/arrow
EPL-2.0	1 dependency github.com/eclipse/paho.mqtt.golang
GNU-All-permissive-Copying-License	2 dependencies github.com/apache/thrift go.opentelemetry.io/otel
ISC	4 dependencies github.com/davecgh/go-spew github.com/emirpasic/gods github.com/oschwald/geoip2-golang github.com/oschwald/maxminddb-golang
LicenseRef-C-Ares	1 dependency github.com/apache/arrow
LicenseRef-MIT-Lucent	1 dependency github.com/dop251/goja
MIT	107 dependencies github.com/99designs/keyring github.com/Azure/azure-sdk-for-go github.com/Azure/go-amqp github.com/AzureAD/microsoft-authentication-library-for-go github.com/BurntSushi/toml github.com/IBM/sarama github.com/Jeffail/checkpoint github.com/Jeffail/gabs github.com/Jeffail/shutdown github.com/Masterminds/squirrel github.com/andybalholm/brotli github.com/apache/arrow github.com/apapsch/go-jsonmerge github.com/aymerick/douceur github.com/beanstalkd/go-beanstalk github.com/benhoyt/goawk github.com/beorn7/perks github.com/bmatcuk/doublestar github.com/cenkalti/backoff github.com/cespare/xxhash github.com/clbanning/mxj github.com/colinmarc/hdfs github.com/cpuguy83/go-md2man github.com/dgraph-io/ristretto github.com/dgryski/go-rendezvous github.com/dlclark/regexp2 github.com/dop251/goja github.com/dop251/goja_nodejs github.com/dustin/go-humanize github.com/dvsekhvalnov/jose2go github.com/eapache/go-resiliency github.com/eapache/go-xerial-snappy github.com/eapache/queue github.com/expr-lang/expr github.com/fatih/color github.com/felixge/httpsnoop github.com/fxamacker/cbor github.com/gabriel-vasile/mimetype github.com/getsentry/sentry-go github.com/go-faker/faker github.com/go-viper/mapstructure github.com/goccy/go-json github.com/gofrs/uuid github.com/golang-jwt/jwt github.com/govalues/decimal github.com/gsterjov/go-libsecret github.com/hailocab/go-hostpool github.com/hamba/avro github.com/influxdata/go-syslog github.com/influxdata/influxdb1-client github.com/itchyny/gojq github.com/itchyny/timefmt-go github.com/jackc/chunkreader github.com/jackc/pgconn github.com/jackc/pgio github.com/jackc/pgpassfile github.com/jackc/pgproto3 github.com/jackc/pgservicefile github.com/jackc/pgtype github.com/jackc/pgx github.com/jackc/puddle github.com/jbenet/go-context github.com/json-iterator/go github.com/kevinburke/ssh_config github.com/klauspost/compress github.com/klauspost/cpuid github.com/klauspost/pgzip github.com/lann/builder github.com/lann/ps github.com/lib/pq github.com/matoous/go-nanoid github.com/mattn/go-colorable github.com/mattn/go-isatty github.com/montanaflynn/stats github.com/mtibben/percent github.com/nsf/jsondiff github.com/nsqio/go-nsq github.com/parquet-go/parquet-go github.com/paulmach/orb github.com/pkoukk/tiktoken-go github.com/pusher/pusher-http-go github.com/quipo/dependencysolver github.com/redpanda-data/benthos github.com/rivo/uniseg github.com/robfig/cron github.com/rs/zerolog github.com/samber/lo github.com/segmentio/ksuid github.com/sergi/go-diff github.com/shopspring/decimal github.com/sirupsen/logrus github.com/smira/go-statsd github.com/sourcegraph/conc github.com/stretchr/testify github.com/tilinna/z85 github.com/tmc/langchaingo github.com/urfave/cli github.com/wombatwisdom/components github.com/wombatwisdom/wombat github.com/x448/float16 github.com/xrash/smetrics github.com/youmark/pkcs8 go.uber.org/atomic go.uber.org/multierr go.uber.org/zap gopkg.in/natefinch/lumberjack.v2 gopkg.in/yaml.v3
MPL-2.0	8 dependencies github.com/certifi/gocertifi github.com/cyphar/filepath-securejoin github.com/gosimple/slug github.com/hashicorp/errwrap github.com/hashicorp/go-multierror github.com/hashicorp/go-uuid github.com/hashicorp/golang-lru github.com/r3labs/diff
NCSA	1 dependency github.com/apache/arrow
OpenSSL	1 dependency github.com/apache/arrow
Zlib	1 dependency github.com/apache/arrow

Schema Registry

synadia-io/schema-registry

License	Dependencies
Apache-2.0	6 dependencies github.com/klauspost/compress github.com/nats-io/nats-server github.com/nats-io/nats.go github.com/nats-io/nkeys github.com/nats-io/nuid github.com/santhosh-tekuri/jsonschema
BSD-3-Clause	4 dependencies github.com/klauspost/compress golang.org/x/crypto golang.org/x/sys golang.org/x/text
MIT	1 dependency github.com/klauspost/compress

Signed Attestation

Currently, only the control-plane OCI images are signed. This is being rolled out for the rest of the components.

For components distributed as OCI images, attestations are signed by a Synadia key to allow for verification of authenticity. This can be validated using Sigstore Cosign.

Signature Verification:

cosign verify-attestation \
    --certificate-identity-regexp '^https://github.com/ConnectEverything' \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    registry.synadia.io/<component> > /dev/null

Replace <component> with the component name (e.g., control-plane, http-gateway).

In the above command, we redirected STDOUT to /dev/null because it contains the complete SBOM as base64-encoded JSON. We are able to decode this if we want to see the SBOM itself.

cosign verify-attestation \
    --certificate-identity-regexp '^https://github.com/ConnectEverything' \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    registry.synadia.io/<component> \
    | jq -r '.payload' | base64 -d | jq '.predicate.Data | fromjson'