A Software Bill of Materials (SBOM) is a foundational element of modern supply chain security and a core requirement for compliance under the Cyber Resilience Act (CRA). The CVD Portal features a comprehensive SBOM Registry, providing a centralized repository for tracking the third-party libraries, open-source components, and proprietary code that make up your software products.
The registry allows you to import standard SBOM formats (such as SPDX and CycloneDX) generated by your build pipelines. Once ingested, the portal correlates these components against known vulnerability databases (like the NVD) to proactively identify embedded risks before they are exploited. This active monitoring ensures that you are immediately alerted when a new vulnerability is discovered in a component used by your products, allowing for rapid triaging and mitigation.
Maintaining an accurate and up-to-date SBOM Registry is essential for rapid incident response. When a major vulnerability (like Log4Shell) is disclosed, the registry allows you to instantly determine which of your products are affected and where the vulnerable component is located. This comprehensive visibility is crucial for demonstrating control over your software supply chain and fulfilling regulatory obligations regarding component transparency.