It’s a brand-new year, and we are excited to welcome it with several product updates that will improve your experience generating, managing, and importing a software bill of materials (SBOM).

These new features strengthen our already best-in-class SBOM functionality and will enable FOSSA users to increase software supply chain security and transparency.

CycloneDX Support

We are pleased to announce support for the CycloneDX SBOM standard. You can now generate CycloneDX SBOMs in JSON and/or XML formats, with an option to include vulnerability information.

Launched in 2017, CycloneDX is one of the leading SBOM formats. It supports multiple important use cases, including software inventory, application security, and software supply chain integrity. Plus, it’s one of the approved export formats under the U.S. government’s 2021 cybersecurity executive order.

CycloneDX is one of the only SBOM standards that includes vulnerability information, such as metadata and remediation guidance, as part of its specification. This plays an important role in improving transparency and trust in the software supply chain.

Support for CycloneDX is just the latest addition to FOSSA’s industry-leading SBOM tool. FOSSA users can generate SBOMs with numerous customizations (including headers and dependency metadata) and in a wide variety of formats (including SPDX, HTML, CSV, and Markdown). We have also expanded our SPDX support, so customers can now generate their SPDX SBOMs in JSON format.

For more information on using the CycloneDX standard and/or generating SBOMs with FOSSA, consider viewing one of our recent on-demand webinars.

SBOM Import

The modern software supply chain is a mix of in-house code, open source components, and third-party applications.

But, historically, it’s been very difficult for organizations to get detailed and accurate information about security risks they may face when using third-party applications. Modern SBOMs — which are human- and machine-readable and include extensive dependency metadata — are an important part of the solution.

Of course, the sheer volume of different software components in modern applications makes it hard to get maximum value from SBOMs without the right tooling. To that end, we’re excited to announce our new SBOM import feature that enables users to import SBOMs generated by third-party providers. This feature helps teams manage all their SBOMs and makes it easier to operationalize SBOMs across supply chain security and transparency initiatives.

Initially, SBOM import will support CycloneDX SBOMs and will be available only for FOSSA business and enterprise users.

For more information about using FOSSA or to get a preview of these features, click here to request a demo.