In recent times, the phrase “supply chain disruption” is on everyone’s lips, mostly related to the goods we want and depend on. Likewise, in the software world we’ve had major incidents like log4shell and color.js impacting the software we want and depend on. Both malice and negligence can threaten it. We throw around terms that include software supply chain and Bill of Materials pretty casually. But what is the software supply chain? Where does it start, and where does it end?