Exploring supported applications for Software Bill of Materials

  • Release version: Xanadu
  • Updated October 25, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Supported Applications for Software Bill of Materials

    The Software Bill of Materials (SBOM) applications enhance your vulnerability management capabilities by integrating with third-party vulnerability intelligence. These integrations provide detailed insights into software components, helping users identify stale and abandoned components and assess vulnerabilities effectively.

    Show full answer Show less

    Key Features

    • Vulnerability Response Integration: Required alongside the SBOM Response application, it provides access to the Vulnerability Manager Workspace and aids in remediating vulnerable items.
    • Enhanced Vulnerability Data: Integrations with NVD and CWE allow users to view comprehensive vulnerability and severity data, enriching the SBOM files uploaded.
    • Veracode Vulnerability Integration: Facilitates the import of SBOM files and includes the option to identify vulnerabilities associated with uploaded SBOM data. Supports CycloneDX and SPDX formats starting from specific versions.
    • GitHub Integration: Enables uploading of SBOM files directly from GitHub repositories, streamlining the CI/CD process and ensuring safe software development cycles.

    Key Outcomes

    By leveraging these supported applications, ServiceNow customers can effectively prioritize and manage vulnerabilities associated with their software components. The integrations empower users to take proactive measures in vulnerability remediation and enhance the overall security posture of their software development processes.

    Third-party vulnerability intelligence and other integrations with the Software Bill of Materials applications can enhance the data of your uploaded files.

    Supported applications benefits

    Third-party vulnerability intelligence and other integrations with the Software Bill of Materials applications permit you to view counts for components that are considered stale and abandoned, as well as information about if you can fix any vulnerabilities associated with components.

    The ServiceNow® applications and third-party integrations listed in the following table are supported by the SBOM applications. These applications provide you with enriched vulnerability data, vulnerability intelligence, and other key information that can help you view and prioritize the vulnerabilities associated with SBOM files. All these applications and integrations are available from the ServiceNow® Store.

    Table 1. Supported applications and third-party integrations
    Benefit Application Supported versions Users

    Vulnerability Response is required if you install the SBOM Response application. Install The Vulnerability Response application prior to installing SBOM Response.

    Application Vulnerability Response features are installed with Vulnerability Response. These features enable access to the Vulnerability Manager Workspace in the Vulnerability Response application and the vulnerability workflow to help you remediate application vulnerable items (AVIT)s.

    		 Vulnerability Response

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.
    View enhanced NVD vulnerability and severity data. View imported data from the NVD and CWE integrations to enrich any vulnerability data you might find in your SBOM data.

    See Importing data with the NVD and CWE integrations and managing third-party libraries for more information.

    		 Vulnerability Response Integration with NVD and SBOM Response

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.
    Import software bills of material files with the Veracode Vulnerability Integration. The Veracode Vulnerability Integration includes the following enhancements with Veracode SBOM files:
    • If you have installed SBOM Response, you have the option to include vulnerabilities found by SBOM for the SBOM files you upload.
    • SBOM is mapped to the Source field for records in the Bill of Materials [sn_sbom_doc] table for the SBOM SBOM files that you upload.

    See Veracode Vulnerability Integration for more information.

    		 Veracode Vulnerability Integration and SBOM Response

    Starting with version 4.3 of the Veracode Vulnerability Integration.

    If you have the Veracode Vulnerability Integration already installed, you can also upload imported Veracode SBOM data in CycloneDX (JSON and XML) and SPDX (XML) formats starting with version v3.0 of SBOM Core.

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.

    Upload SBOM files to the ServiceNow AI Platform from your GitHub repositories. Determine if SBOM files generated in your CI/CD (continuous integration and continuous delivery/deployment) pipelines have been successfully queued in your ServiceNow AI Platform instance.

    Protect your environments from potentially harmful components during software development cycles with GitHub Actions that you initiate from your GitHub environment.

    		 Obtain any required GitHub Actions for SBOM upload in the GitHub Marketplace. Starting with version 4.0 of SBOM Core.