SBOM management
SBOM management for regulated software teams is more than file storage. Teams need to ingest CycloneDX or SPDX files, normalize components, connect them to product versions, and retain the original artifact as evidence.
A useful SBOM workflow keeps the uploaded CycloneDX JSON, CycloneDX XML, or SPDX JSON file available while also turning it into reviewable product data.
Keep the original SBOM attached to the product-version record.
Track intake format, product version, and status.
Make component data reviewable without losing provenance.
Component names, versions, package identifiers, and product scope need consistent handling before vulnerability review can happen reliably.
Normalize components into a product-version inventory.
Keep package and version data connected to later findings.
Support repeated analysis when SBOMs or products change.
For CRA readiness workflows, SBOMs need to remain connected to later review decisions, remediation activity, and audit history.
Connect SBOM records to vulnerability review.
Retain activity history around intake and review.
Support customer or regulatory evidence requests without reassembling records manually.
Related workflows
These pages explain how SBOM intake, vulnerability review, remediation tracking, and evidence history fit together.
Next step
Review intake, vulnerability decisions, remediation pressure, and retained evidence for one product line.