Upload your first SBOM

Ready to upload your first SBOM or not sure what an SBOM is? We've got you covered! We support both and SBOM formats.

Have a CycloneDX or SPDX SBOM?

  1. Click Add SBOM > Upload SBOM.

  2. If you are uploading a compressed SPDX SBOM file, follow these steps.

What SBOMs are supported?


  • CycloneDX: 1.4, 1.5

  • SPDX: 2.2, 2.3


  • CycloneDX: .json, .xml

  • Single SPDX files: .spdx, .json, .yaml, .xml

  • Compressed SPDX files: .gz, .tgz, .zip, .zst, .tzst

File size: 50MB

Where did my Add SBOM button go?

If you've already uploaded an SBOM, this button changes to Manage SBOM, providing you with additional actions. You can also check your SBOM file upload status from here.

  1. In the modal that displays, click the Choose file button to upload your SBOM file, then click Upload SBOM.

  2. Specify the product name and version, then click Upload SBOM.

Not ready to add your SBOM yet? No worries!

You can create each of your products and their respective versions, then add your SBOM at any time.

  1. In the Select product drop-down, select the Create product option, specify the product name, then Save. You’ll now see your new product selected. You’ll now need to add a version to upload an SBOM to.

  2. In the Select version drop-down, select the Create version option, specify the version, then Save. Click the Add SBOM drop-down button, then select the Upload SBOM option.

  1. Once you’ve uploaded your SBOM, you will see all of the dependency components that are contained in that product display on the page. We’re already starting to match, drawing data from the NVD, including Package URLs (PURL) of Cargo, NPM, Nuget, or Pypi package manager), CPE strings, dependency component name, and alias matches.

How does matching work?

We do a lot of work behind the scenes so you can spend your valuable time on the vulnerabilities that matter most! Check out Match sources for more information on sources we consult, and Matching statuses and rules to understand how we determine match statuses and suggest possible matches.

  1. You can edit any SBOM dependency component, add dependency components manually, and export your SBOM to share for compliance and regulatory purposes.

Upload a compressed SPDX file

  1. Create a directory with the name of what you want to name your zip file.

  2. Navigate into that directory, then create the subdirectory, packages, in this directory.

  3. Copy the individual SBOM files into this directory.

  4. Zip (compress) the parent directory. Below are the commands for a few formats.

  5. Upload this compressed file to Helm.

Create .tar.gz

COPYFILE_DISABLE=1 tar -zcvf zst_sbom.tar.gz zst_sbom -x 

Create .zip

zip -r zst_sbom.zip zst_sbom -x '**/.*'

Unable to find exact matches in the NVD?

If you have dependency components where our system is unable to find an exact match in the NVD, consult the appropriate section:

Not seeing your SBOM dependency components?

How do I know my file is uploading?

You can check the status of your SBOM file upload via the Manage SBOMs drop-down button > View file upload status. If you haven't uploaded other SBOMs, this button may still be Add SBOM. In the status modal, click the icon next to the failed status to get more information. If you need help, contact us.

I have a large SBOM file

This could take a little longer to upload. Get a cup of coffee or tea while we process your SBOM! We'll automatically start matching to known software in the NVD as soon as your upload is completed successfully.

I don't think my SBOM uploaded successfully

To check the status of your SBOM file, click the Manage SBOMs drop-down button > View file upload status. If you haven't uploaded other SBOMs, this button may still be Add SBOM. If you have a Failed status, click the icon next to the failed status to get more information. Some possible reasons a file could fail to upload are invalid JSON or other unexpected file structure or missing required fields. If you need help figuring out what went wrong, that's what we're here for -- send your SBOM to us for help!

Have a different SBOM format or need help getting started?

I have a different SBOM format

If you have another format (e.g., Word, CSV), contact us so we can convert it for you. We’re in the process of adding more complete support for all of the data in your CycloneDX format of SBOM, as well as adding support for the SPDX SBOM format.

I don't know what an SBOM is or am not sure where to start

Don’t worry – we’ve got you covered! We can provide expert assessment, guidance, and design of anything from building cybersecurity and continuous improvement into your product development lifecycle to your Public Key Infrastructure cryptography to FDA letters and most anything in between.

Take our FDA readiness assessment survey to start down your path to a smooth FDA submission process!

Last updated

© Copyright MedCrypt 2023, All rights reserved.