Upload your first SBOM
Ready to upload your first SBOM or not sure what an SBOM is? We've got you covered! We support both and SBOM formats. For CycloneDX, we support either JSON or XML SBOMs.
Have a CycloneDX or SPDX SBOM?
If you don’t have an SBOM added yet, click Add SBOM > Upload SBOM.
What SBOMs are supported?
Versions: We support CycloneDX 1.4 and SPDX 2.2 and 2.3 versions.
File size:
Your SBOM file size must be 5MB or less.
If you are using a .zip or .tar.gz (gzip) file generated from Yocto on Linux, your file size limit is 50MB.
Where did my Add SBOM button go?
If you've already uploaded an SBOM, this button changes to Manage SBOM, providing you with additional actions. You can also check your SBOM file upload status from here.
In the modal that displays, click the Choose file button to upload your SBOM file, then click Upload SBOM.
Specify the product name and version, then click Upload SBOM.
Not ready to add your SBOM yet? No worries!
You can create each of your products and their respective versions, then add your SBOM at any time.
In the Select product drop-down, select the Create product option, specify the product name, then Save. You’ll now see your new product selected. You’ll now need to add a version to upload an SBOM to.
In the Select version drop-down, select the Create version option, specify the version, then Save. Click the Add SBOM drop-down button, then select the Upload SBOM option.
Once you’ve uploaded your SBOM, you will see all of the dependency components that are contained in that product display on the page. We’re already starting to match, drawing data from the NVD, including Package URLs (PURL) of Cargo, NPM, Nuget, or Pypi package manager), CPE strings, dependency component name, and alias matches.
How does matching work?
We do a lot of work behind the scenes so you can spend your valuable time on the vulnerabilities that matter most! Check out Match sources for more information on sources we consult, and Matching statuses and rules to understand how we determine match statuses and suggest possible matches.
You can edit any SBOM dependency component, add dependency components manually, and export your SBOM to share for compliance and regulatory purposes.
Unable to find exact matches in the NVD?
If you have dependency components where our system is unable to find an exact match in the NVD, consult the appropriate section:
Not seeing your SBOM dependency components?
Have a different SBOM format or need help getting started?
Last updated