← All tools
Free Tool
SBOM Validator (BSI TR-03183-2)
Upload or paste a CycloneDX or SPDX JSON SBOM and check it against BSI TR-03183-2 v2.1.0, the German federal guideline that concretises the CRA SBOM requirement. The validator verifies the minimum specification version (CycloneDX 1.6 or SPDX 3.0.1) and every required data field for the SBOM itself and for each component, including creator, timestamp, dependencies, licences and hashes. Validation runs entirely in your browser.
Validate your SBOM against BSI TR-03183-2
Upload or paste a CycloneDX or SPDX JSON document. Validation runs entirely in your browser. Your SBOM is never uploaded or stored.
Frequently asked
What does BSI TR-03183-2 require from an SBOM?
TR-03183-2 is the German Federal Office for Information Security (BSI) technical guideline on SBOMs for the Cyber Resilience Act. Version 2.1.0 requires a machine-processable SBOM in CycloneDX 1.6 or later, or SPDX 3.0.1 or later (JSON or XML), one SBOM per software version, and a defined set of data fields: the SBOM's creator and timestamp, and for every component its creator, name, version, filename, dependencies, distribution licences, a SHA-512 hash of the deployable form, and the executable, archive and structured properties.
Is an SBOM mandatory under the CRA?
Yes. CRA Annex I Part II(1) requires manufacturers to identify and document vulnerabilities and components, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product. TR-03183-2 is the most concrete official guidance available on how to fulfil this.
My SBOM is CycloneDX 1.4 or SPDX 2.3. Is that a problem?
Older versions still parse and remain useful, and TR-03183-2 includes a transitional system. However, the current guideline sets CycloneDX 1.6 and SPDX 3.0.1 as the minimum for a newly generated or updated SBOM. Most SBOM generators can already emit CycloneDX 1.6, so upgrading is usually a one-flag change in your build pipeline.
Does this tool upload my SBOM anywhere?
No. Validation runs entirely in your browser using the same open logic that CRA Portal uses server-side. Your SBOM never leaves your machine when you use this page.
Can vulnerability information be included in the SBOM?
TR-03183-2 explicitly says an SBOM MUST NOT contain vulnerability information, because SBOM data is static per software version while vulnerability knowledge changes daily. Vulnerability communication belongs in separate documents such as CSAF security advisories or VEX. CRA Portal publishes CSAF 2.0 advisories for exactly this purpose.
Ready to automate your CVD programme?
CRA Portal integrates all these tools and handles your Article 13 and 14 obligations automatically.
Start your free portal →