# Upload your first SBOM

Ready to upload your first SBOM, or not sure what an SBOM is? We’re here to help! Helm supports both CycloneDX and SPDX SBOM formats, making it easy for you to manage your software components.

## **Understanding workspace context for SBOM upload**

A workspace is basically a division within your organization, such as a department, business unitWhen uploading SBOMs:

* **Products are workspace-specific**: All products you create during upload belong to your current workspace. Products cannot be moved to another workspace after creation. If you want to create a product in a different workspace, [switch workspaces](https://helm.docs.medcrypt.com/get-started-with-helm/get-familiar-with-the-helm-ui#selected-workspace) first, using the breadcrumb dropdown or account menu.
* **Version management**: Product versions are also workspace-scoped
* **Component visibility**: Uploaded components and their vulnerabilities are visible only within the workspace

This ensures proper data isolation between different business units or teams.

## Upload a CycloneDX or SPDX SBOM

1. If you haven't added any SBOMs yet, click the **Upload SBOM** button.&#x20;
   * If your team has already uploaded SBOMs, click **Manage SBOMs > Upload SBOM**.
2. If you are uploading a compressed SPDX SBOM file, [follow these steps](#upload-a-compressed-spdx-file).

{% hint style="success" %}
**Supported SBOM versions and formats**

**Versions:**&#x20;

* **CycloneDX:** 1.3 (import only), 1.4 (import and export), 1.5 (import only)
* **SPDX:** 2.2, 2.3&#x20;

**Formats:**

* **CycloneDX:** .json, .xml
* **Single SPDX files:** .spdx, .json, .yaml, .xml
* **Compressed SPDX files:** .gz, .tgz, .zip, .zst, .tzst
* **Excel:** .xlsx, .xls
* **CSV**

**File size:** 50MB&#x20;
{% endhint %}

2. In the **SBOM type** drop-down, select **Document**.
3. Select or drag and drop a file in the **SBOM file** field.
   1. [**Excel or CSV**](#upload-a-csv-or-excel-sbom): Uploading one of these files will display a **Generate CycloneDX** button.&#x20;
4. Click **Upload SBOM**.
   1. **Need to include EOS/EOL information?** You can import your CycloneDX SBOM with EOS/EOL information included in [these properties](#including-lifecycle-information).
   2. Need to include Windows KB patch information? You can import your CycloneDX SBOM with WinKBs included in [this property](#including-windows-kb-patch-information).
5. If you're not seeing your SBOM components loading, check that you have **Auto-refresh** turned on, or manually refresh the page. Larger SBOMs will take a bit more time.&#x20;
   1. If you're still not seeing your SBOM, click **Manage SBOMs > View file upload status**. If you see a **Failed** status here, click the icon next to that status for more information.&#x20;
   2. If you can't resolve the issue, [contact us](mailto:support@medcrypt.co) for help.  &#x20;
6. Once you’ve uploaded your SBOM, you will see all of the components that are contained in that product display on the page. We’re already starting to match, drawing data from the NVD, including Package URLs (PURL) of Cargo, NPM, Nuget, or Pypi package manager), CPE strings, component name/version/supplier combo, and alias matches.&#x20;
7. If you need to aggregate and merge additional SBOMs to this SBOM, click **Manage SBOMs > Upload SBOM**. This will add components from that SBOM to your existing SBOM.
8. If you see any warning or error icons next to your component version, click the icon for more information.&#x20;
   1. You should be able to just edit the version for a warning scenario, but will need to [contact us](mailto:support@medcrypt.co) for an error scenario.&#x20;
   2. You'll need to resolve this issue before we can match this component and return any vulnerabilities.

### **Upload a compressed SPDX file**

If you have a compressed SPDX SBOM file, follow these steps to upload it:

1. **Prepare your files**:
   * Create a directory named after what you want to name your zip file.
   * Navigate into that directory and create a subdirectory named `packages` in this directory.
   * Copy your individual SBOM files into the `packages` directory.
2. **Compress your files**:
   * Use the following commands to compress your files into a `.tar.gz` or `.zip` format:
     * **Create .tar.gz**: `COPYFILE_DISABLE=1 tar -zcvf yourfilename.tar.gz yourdirectory`
     * **Create .zip**: `zip -r yourfilename.zip yourdirectory -x '**/.*'`
3. **Upload your file**:
   * Once compressed, go to Helm and upload your `.tar.gz` or `.zip` compressed file following the [upload process](#have-a-cyclonedx-or-spdx-sbom) above.

To include lifecycle information, these are the supported properties you can use in your CycloneDX SBOM. This information will be populated into the respective columns in the **Products** table, as well as in the component details. Note that if your SBOM contains duplicate properties for the same component, Helm will take the first property and discard the rest. For each field, you can only include either date or text value - if you include both, only date will be populated in the Helm UI.&#x20;

### **Upload a CSV or Excel SBOM**

{% hint style="warning" %}
**This feature is in beta.** Let us know your feedback and what we can do to enhance this experience!
{% endhint %}

You can upload CSV and Excel files directly to Helm and have them automatically converted to a CycloneDX SBOM. This eliminates the need for [manual conversion tools or scripts](https://helm.docs.medcrypt.com/get-started/dont-have-an-sbom/convert-your-sbom-from-csv-to-cyclonedx).

1. Click the **Upload SBOM** button. &#x20;
2. In the modal that displays, specify a product name and version.
3. In the **SBOM type** drop-down, select **Document**.
4. Select or drag and drop a file in the **SBOM file** field.
5. Click **Generate CycloneDX SBOM**.
6. Preview your data before uploading. Review the component information to ensure everything looks correct and catch any formatting issues.
7. Click **Upload** to convert and import your SBOM.
8. Once imported, your SBOM will be ready for vulnerability analysis and remediation, and can be exported in [CycloneDX, SPDX, or CSV format](https://helm.docs.medcrypt.com/ensure-fda-readiness/fda-ready-sbom-and-vulnerability-reports), plus our [expert-crafted FDA SBOM](https://helm.docs.medcrypt.com/ensure-fda-readiness/fda-ready-sbom-and-vulnerability-reports/meet-fda-requirements-with-your-fda-sbom-report). You can also export [VEX and VDR reports](https://helm.docs.medcrypt.com/ensure-fda-readiness/fda-ready-sbom-and-vulnerability-reports/vex-and-vdr-reports).

## Including lifecycle information?

To include lifecycle information, these are the supported properties you can use in your CycloneDX SBOM. This information will be populated into the respective columns in the **Products** table, as well as in the component details. Note that if your SBOM contains duplicate properties for the same component, Helm will take the first property and discard the rest. For each field, you can only include either date or text value - if you include both, only date will be populated in the Helm UI.

To use any of these properties, you will need to include the whole namespace value (e.g., `cdx:lifecyle:milestone.endOfSupport` or `medcrypt:lifecycle:milestone:endOfLifeText)` in the `name` field and the corresponding value in the `value` of the property.  We will import and export from the`component` and/or `metadata > components` array of your CycloneDX SBOM.

1. **Level of support (date):** Import will support `cdx:lifecycle:milestone:endOfSupport` name property or `eos_date` (Medcrypt-specific name property). Export will be the CycloneDX native property.
2. **EOS/EOL (date):** Import will support `cdx:lifecycle:milestone:endOfLife` name property or `eol_date` (Medcrypt-specific name property). Export will be the CycloneDX native property.
3. **Level of support (text):**  Import will support `medcrypt:lifecycle:milestone:endOfLifeText` or `eol_text` name property. Export will be \``medcrypt:lifecycle:milestone:endOfLifeText`.&#x20;
4. **EOS/EOL (text):** Import will support `medcrypt:lifecycle:milestone:levelOfSupportText` or `eos_text` name property. Export will be \``medcrypt:lifecycle:milestone:levelOfSupportText`.&#x20;

**End of support example with component array**

```
...
"component" : {
    "name" : "[PRODUCT_NAME]",
    "version" : "2.2.3".
    "type" : "application",
    "bom-ref" : "dd8fc70b-767a-4398-885c-bbd0e8f6c68",
    "properties" : [
        {
            "name" : "cdx:lifecycle:milestone:endOfSupport",
            "value" : "2026-02-07T22:00:0Z"
        },
        {{
            "name" : "medcrypt:lifecycle:milestone:levelOfSupportText",
            "value" : "Q1 2026"
        }
 ...
      
```

Check the [CycloneDX GitHub repo ](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/479acf89cc0595995ad20d7fa9439f007250b050/cdx/lifecycle.md)for more information on their native properties.

**End of support example with component array**

```
...
"component" : {
    "name" : "[PRODUCT_NAME]",
    "version" : "2.2.3".
    "type" : "application",
    "bom-ref" : "dd8fc70b-767a-4398-885c-bbd0e8f6c68",
    "properties" : [
        {
            "name" : "cdx:lifecycle:milestone:endOfSupport",
            "value" : "2026-02-07T22:00:0Z"
        },
        {{
            "name" : "medcrypt:lifecycle:milestone:levelOfSupportText",
            "value" : "Q1 2026"
        }
 ...
      
```

Check the [CycloneDX GitHub repo ](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/479acf89cc0595995ad20d7fa9439f007250b050/cdx/lifecycle.md)for more information on their native properties.

## **Including Windows KB patch information?**

CycloneDX does not support Windows KB information natively, so to include Windows KB patch information, this is the Medcrypt-specific property you can use in your CycloneDX SBOM.&#x20;

To use this property, you will need to include the whole namespace value (e.g., `medcrypt:vulnerability:remediation:mskb`  in the `name` field and the corresponding value in the `value` of the property. of the `component` or `metadata > components` array of your CycloneDX SBOM. We will import and export from the`component` and/or `metadata > components` array of your CycloneDX SBOM.

* Import and export will support the `medcrypt:vulnerability:remediation:mskb` name property, but regardless of where the KBs appeared in the original SBOM, they will be exported to `metadata > component` only.&#x20;

**Windows KB example with component array**

```
...
"component" : {
    "name" : "[PRODUCT_NAME]",
    "version" : "2.2.3".
    "type" : "application",
    "bom-ref" : "dd8fc70b-767a-4398-885c-bbd0e8f6c68",
    "properties" : [
        {
            "name" : "medcrypt:vulnerability:remediation:mskb",
            "value" : "KB12849"
        },
        {{
            "name" : "medcrypt:vulnerability:remediation:mskb",
            "value" : "KB994849"
        }
 ...    
      
```

## Including lifecycle information?

To include lifecycle information, these are the supported properties. This information will be populated into the respective columns in the **Products** table, as well as in the component details. Note that if your SBOM contains duplicate properties for the same component, Helm will take the first property and discard the rest. For each field, you can only include either date or text value - if you include both, only one will be uploaded.

1. **Level of support (date):** Import will support `cdx:lifecycle:milestone:endOfSupport` property or `eos_date` (Medcrypt-specific property). Export will be the CycloneDX native property.
2. **EOS/EOL (date):** Import will support `cdx:lifecycle:milestone:endOfLife` property or `eol_date` (Medcrypt-specific property). Export will be the CycloneDX native property.
3. **Level of support (text):**  Import will support `medcrypt:lifecycle:milestone:endOfLifeText` or `eol_text`. Export will be \``medcrypt:lifecycle:milestone:endOfLifeText`.&#x20;
4. **EOS/EOL (text):** Import will support `medcrypt:lifecycle:milestone:levelOfSupportText` or `eos_text`. Export will be \``medcrypt:lifecycle:milestone:levelOfSupportText`.&#x20;

## **Including dependency data?**

If you have dependency data for your components in your CycloneDX SBOM, Helm captures and preserves these dependency relationships, and includes it when you export back to CycloneDX format. This ensures fidelity and completeness when working with CycloneDX SBOMs that include component relationship data.

## **What happens after upload?**

Once you’ve uploaded your SBOM, Helm will automatically start matching your components with known software in the NVD (National Vulnerability Database). This leverages several [match sources](https://helm.docs.medcrypt.com/match-components/understand-match-sources), such as Package URLs (PURLs), CPE strings, component names, and alias matches. Refer to Match statutes and Resolve match statuses for more information.

Check out [Match sources](https://helm.docs.medcrypt.com/match-components/understand-match-sources) for more information on sources we consult, and [Match statuses](https://helm.docs.medcrypt.com/match-components/understand-match-statuses) to understand how we determine match statuses and suggest possible matches.&#x20;

## **Create products and versions without an SBOM**

1. In the **Select product** drop-down, choose **Create product**, specify the product name, then click **Save**. This product will be created within your current workspace and cannot be moved to another workspace after creation. If you want to create it in a different workspace, you'll need to [switch workspaces](https://helm.docs.medcrypt.com/get-started-with-helm/get-familiar-with-the-helm-ui#selected-workspace) first.
2. In the **Select version** drop-down, choose **Create version**, specify the version, and click **Save**.
3. When you have an SBOM ready, just click the **Add SBOM** drop-down button (**Manage SBOM** if you already have uploaded other SBOMs), then select **Upload SBOM** when you’re ready to add your SBOM file.

## **Troubleshooting and support**

You may have turned off auto-refresh. You can either turn it back on from the **Auto-refresh** switch above the table, or you can click Refresh to manually refresh the page.

### **Not seeing your SBOM components?**

You may have turned off auto-refresh. You can either turn it back on from the **Auto-refresh** switch above the table, or you can click **Refresh** to manually refresh the page. If you're still not seeing your SBOM, check the status of your SBOM file upload via the **Manage SBOMs** drop-down button > **View file upload status**. In the status modal, click the icon next to the Failed status to get more information. If you need help, [contact us](mailto:support@medcrypt.co). &#x20;

### **No exact match**

If Helm can’t find an exact match in the NVD, refer to [Resolve match statuses ](https://helm.docs.medcrypt.com/match-components/match-unmatched-components)for further instructions.

### Upload issues

**Have a large SBOM file?**

If you have a larger SBOM file, this could take a little longer to upload. Get a cup of coffee or tea while we process your SBOM! We'll automatically start matching to known software in the NVD as soon as your upload is completed successfully.&#x20;

**Don't think your SBOM uploaded successfully?**

If you're still not seeing your SBOM, check the status of your SBOM file upload via the **Manage SBOMs** drop-down button > **View file upload status**. In the status modal, click the icon next to the **Failed** status to get more information. If you need help, [contact us](mailto:support@medcrypt.com). &#x20;

**SBOM contains component hashes**

Although you can't currently view masked component hashes in Helm, rest assured that the component hash information in your SBOM has been retained and will be exported intact to any [SBOM report](https://helm.docs.medcrypt.com/ensure-fda-readiness/fda-ready-sbom-and-vulnerability-reports).&#x20;

## Need help getting started?

### **Have a different SBOM format**

If you have another format (e.g., Word, CSV), [contact us](mailto:support@medcrypt.com) so we can convert it for you. We’re in the process of adding more complete support for all of the data in your CycloneDX format of SBOM, as well as adding support for the SPDX SBOM format.

Don’t worry – we’ve got you covered! We can [provide expert assessment, guidance, and design](https://www.medcrypt.com/services/overview) of anything from building cybersecurity and continuous improvement into your product development lifecycle to your Public Key Infrastructure cryptography to FDA letters and most anything in between.&#x20;

### **Need to generate an SBOM**

We've worked with a lot of open-source tools ourselves and have also provided any other tools we know of for generating a [CycloneDX SBOM](https://helm.docs.medcrypt.com/get-started/dont-have-an-sbom/generate-cyclonedx-sbom-with-open-source-tools) or a [SPDX SBOM](https://helm.docs.medcrypt.com/get-started/dont-have-an-sbom/generate-spdx-sbom-with-open-source-tools).&#x20;

### **Don't know what an SBOM is or not sure where to start**

Take our [FDA readiness assessment survey](https://docs.google.com/forms/d/1REk-QXwY4JM3gYg87xXp7z-iddW1-m87ynn2HmWvkTo/viewform?edit_requested=true) to start down your path to a smooth FDA submission process!