Like, this is what happens to every programming language - it's why you get NaN or an empty list for any given arbitrary code fragment in Javascript. People had a normal data structure, say a dictionary, and were like "What if we OPTIMIZED IT for all the common situations?" And so now a Dictionary is like a hybrid "Dictionary-List-Cache-Semi-Ordered-ViewMap" and it changes everything about how it operates according to some internal heuristic only some ancient and primal god of mischief could understand. 

So when someone asks me why, in certain cases, my program returns weird results right now, the REAL answer is, "Some computer scientist took what could have been a perfectly good data structure, and gave it performance anxiety". But project managers hate that answer. So instead they get to hear about graph databases.

This brings me to two important and closely linked subjects: SBOM, and venomous jellyfish. 

As the mighty Halvar Flake once probably said to himself, "I can take any hideously boring problem, and turn it into a fascinating and only a bit unsolvable graph algorithm solution!" And this is where SBOMs currently live. 

Software is amazing, and people in cyber policy like to think of it as if it was a book or long journal article, and you can take a snapshot of it, and send it to your friend Bob with a version number 1.0 on it and Track Changes and then they send it back with a version number 1.1 or 1.0-BobEdits and that's that.

But that is only what Loki, the god of lies, wants you to think. Environment is a huge part of the equation! You can go to your local pond, and get a carnivorous tadpole, an angry little hungry frog baby with a giant beak that eats other frog babies, and show it to a biologist and ask them the species, and they will tell you Spadefoot, and then find one eating plants in the corner, just a cute little guy, and the biologist will also tell you Spadefoot, and when you look at them confused they will shrug and mumble something about phenotypic plasticity which is clearly a bunch of words they made up to sound cool. 

It is so with software. What software are we running? Well, the description of software is rarely smaller than the software itself. It is usually much bigger. 

An SBOM could be described as a nested manifest of metadata about software. But if you say that to a computer scientist you found drowsing on the beach they will perk up like an evil sea otter who has spotted a bivalve and say "Wait, are you sure about that data structure? Is it truly a directed acyclic TREE structure, or is it more a ..." an awkwardly long pause will ensue as they struggle to control their emotions "...graph?" At this point you will realize you've made a mistake.

If you somehow manage to escape by diverging the topic into something about eagles and Mordor, you can go on your merry way, building and selling tools that work on Trees and only Trees. You will be arboreal, but rich. And then someday someone will deliver a copy of Nature to your yacht by mistake, which by this point will be the only way to traverse most of the East coast, and you'll read about Jellyfish, or as the biologists will haughtily inform you are now called simply, "Jellies". (The less money a scientist makes, the more haughty and good looking.)

But because you are a "learned person" you will read this article about jellyfish and they will let you know about horizontal gene transference, which breaks every idea you had about how evolution worked. But it also might remind you about backporting and cherry-picking and a lot of crazy stuff that happens in the software world. So you might boat over to where that computer scientist was, and ask them maybe if they can port all your Tree-working code to Graph-working code.  

And then, unfortunately for you, the story gets dark.

-dave