SBOM records and relationships in Third-party Risk Management
Summarize
Summary of SBOM records and relationships in Third-party Risk Management
This content explains how Software Bill of Materials (SBOM) data is managed within ServiceNow's Third-party Risk Management (TPRM) application. It details the creation, tracking, and relationships of SBOM records collected during third-party engagements, helping customers understand how SBOM submissions are processed, stored, and linked to engagements and third parties.
Show less
SBOM Document Tracking and Processing
- SBOM Document Related List: Appears on each engagement record, tracking every SBOM submission attempt, including both successful and failed uploads.
- Supported Formats: JSON and XML files are accepted; unsupported formats result in parse errors and are logged as failed attempts.
- Record Retention: Each submission creates a new SBOM document record, and previous documents are retained rather than replaced.
- Reviewer Access: Third-party assessment reviewers can view SBOM document and BOM component records on engagement and third-party records but cannot access the SBOM workspace.
BOM Components and Vulnerability Data
- BOM Components Related List: Displays all BOM component records from SBOM files collected in an engagement, representing libraries or dependencies declared in the SBOM.
- Vulnerability Information: When integrated with SBOM Response and ITSM Vulnerability Response applications, vulnerability details may be visible at the component level, though severity is not aggregated at the engagement or third-party level.
SBOM Data Model and Relationships
SBOM records are linked through multiple relationships enabling comprehensive tracking:
- Engagement to SBOM Document: A many-to-many (M2M) table connects engagements to their SBOM documents.
- SBOM Document to Assessment Instance: The SBOM document record references the Smart Assessment Engine (SAE) assessment instance that triggered the upload.
- SBOM Document to BOM Entity: Each parsed SBOM file creates a parent BOM entity representing the entire SBOM.
- BOM Entity to BOM Components: BOM entities have child records for each declared library or dependency.
- BOM Components to Third Party: Components can be associated with third parties via product model relationships.
- Engagement to BOM Components: Components are accessible from engagements through the chain of related records.
Note: SBOM workspace uploads do not link to engagements; linkage only occurs when SBOMs are collected through the TPRM workflow.
Work Notes and Activity Logging
Work notes on external assessments provide a chronological log of SBOM processing events, such as queuing for processing, success confirmations, parsing errors, and third-party decline actions.
SBOM Questionnaire Template and Automation
- The provided SBOM questionnaire template in TPRM collects responses on SBOM availability and file uploads, and can be customized to meet organizational needs.
- A Flow Designer subflow automates post-assessment actions including sending files to the SBOM API, updating status records, handling success or errors, and managing third-party declines.
Practical Benefits for ServiceNow Customers
- Enables structured collection and management of SBOM data within third-party engagements.
- Provides clear tracking of submission attempts and processing outcomes to support audit and review processes.
- Links SBOM components to third parties for enhanced risk visibility.
- Supports vulnerability insights at the component level when integrated with vulnerability response applications.
- Automates post-assessment workflows to streamline SBOM submission handling and error management.
The records, related lists, and relationships created when you collect SBOM data in Third-party Risk Management, and how those records relate to engagements and third parties.
SBOM document related list (engagement)
The SBOM document related list appears on the engagement record and tracks each SBOM submission attempt for that engagement. Separate entries are created for successful and failed uploads.
Successful processing depends on whether the submitted file conforms to a supported SBOM schema and can be parsed by the SBOM API. Supported formats are JSON and XML. Files submitted in any other format return a parse error and a new entry is created in this list to record the failed attempt.
Each submission attempt creates a separate SBOM document record. Previously submitted documents are retained and not replaced or removed.
| Field | Description |
|---|---|
| Format | The declared file format of the SBOM submission, for example, JSON or XML. |
| Version | The version declared in the SBOM file. |
| Status | The processing status of the submission, for example, queued, processed successfully, or error. |
| Source assessment | The assessment instance that triggered the SBOM upload. |
BOM components related list (engagement)
The BOM components related list on the engagement record shows all BOM component records generated from SBOM files collected for that engagement. Each component represents a declared library or dependency from the submitted SBOM.
If the SBOM Response and ITSM Vulnerability Response applications are available, vulnerability-related columns may appear at the individual component level. Vulnerability severity is not rolled up to the engagement or third-party level.
Data model and record relationships
This table describes how SBOM records relate to each other and to TPRM records after a successful upload.
| Relationship | How it works |
|---|---|
| Engagement → SBOM document | An M2M table (sn_vdr_risk_asmt_m2m_engagement_sbom_doc) links each engagement to the SBOM documents collected for it. |
| Engagement SBOM document → Smart assessment instance | The M2M table also links to the SAE assessment instance (sn_smart_asmt_instance) that triggered the SBOM upload. This relationship is surfaced as the Source assessment field on the SBOM document record. |
| SBOM document → BOM entity | When the SBOM API parses a file, it creates a parent BOM entity record representing the submitted SBOM document as a whole. |
| BOM entity → BOM components | Each BOM entity has one or more child BOM component records representing individual libraries and dependencies declared in the SBOM. |
| BOM component → third party | BOM components can be associated with a third party through the product model relationship. The product model manufacturer field can reference a core_company record. |
| Engagement → BOM components | Components are surfaced on the engagement through the relationship chain: engagement → SBOM document → BOM entity → BOM components. |
Work notes tracking
Work notes on the external assessment provide a running log of SBOM processing activity. Examples include:
- Queued for processing — written when the submission is sent to the SBOM API.
- Processed successfully — written when the SBOM API confirms successful parsing.
- Error message — written when parsing fails, including the reason returned by the SBOM API.
- Third-party declined — written when the engagement contact selects a No response option.
SBOM questionnaire template
The SBOM questionnaire template is provided by ServiceNow and is configured as a TPRM external questionnaire with scoring disabled.
The template includes these questions:
- Can you provide an SBOM?
- Yes
- No, we do not generate SBOMs.
- No, we do not disclose SBOMs outside the company.
- No, other. (Please explain.)
- Upload your SBOM file. This question appears only when the response to question 1 is Yes.
You can modify the questionnaire template to meet internal requirements.
Post-assessment automation
A subflow in Flow Designer handles post-assessment actions when an SBOM questionnaire is submitted.
The subflow performs these actions:
- Sends the uploaded file to the SBOM API.
- Tracks the
sn_bom_docrecord status. - On success, creates the engagement-to-SBOM relationship and updates assessment activity.
- On error, records the error message and enables resubmission.
- On third-party decline, records the response and closes the assessment.