Exploring Software Bill of Materials

  • Release version: Yokohama
  • Updated February 26, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Software Bill of Materials

    The Software Bill of Materials (SBOM) feature in ServiceNow enables organizations to upload and analyze SBOM files to identify third-party and open-source components used in their applications. This capability helps you understand potential risks related to open-source software, such as vulnerabilities, non-compliant licenses, and component integrity issues. SBOM files can be uploaded manually or via API, and they include detailed inventories covering direct and transitive dependencies along with licensing information.

    Show full answer Show less

    Key Features

    • Component Inventory: View detailed records of software components from uploaded SBOM files in the SBOM Workspace, including license data and vulnerability status.
    • Risk and License Compliance Assessment: Classify and review software licenses against internal or regulatory policies to identify banned, restricted, or missing licenses and assess exposure.
    • Vulnerability Management Integration: Create and manage vulnerable items for components with known vulnerabilities, enhancing your security posture.
    • Data Visualization and Reporting: Access dashboards and reports summarizing license compliance and vulnerability risks on the SBOM Workspace home page.
    • Support for Industry Standards: Supports CycloneDX and SPDX SBOM formats, allowing broad compatibility with common SBOM file types and versions.
    • Advanced Integrations: Includes integrations with OSV.dev and Deps.dev for enhanced vulnerability intelligence and component lifecycle status (e.g., stale or abandoned components).

    Applications and Benefits

    • Data Model for SBOM: Core tables and access control to store and manage SBOM data.
    • SBOM Core: Provides APIs and business logic to import, parse, and display SBOM files; enables viewing component inventories but without landing page visualizations.
    • SBOM Response: Adds advanced features including risk assessment, automated creation of Application Vulnerable Items (AVITs), license compliance management, and visual dashboards. Requires Vulnerability Response application.

    Who Benefits

    • Vulnerability Managers and Analysts: Gain visibility into software components and vulnerabilities to manage risk and compliance.
    • Software Asset Managers and Legal Teams: Build and maintain a license database, classify licenses, and ensure compliance with internal policies and regulations.
    • IT Managers and Auditors: Use SBOM data for governance, audit readiness, and operational decision-making.

    Integration with Vulnerability Response and CSDM

    The SBOM applications integrate with Vulnerability Response and Application Vulnerability Response, contributing data to and utilizing Common Service Data Model (CSDM) tables. This integration enhances overall security operations and aligns with other ServiceNow security products.

    Next Steps for Customers

    • Configure and upload your SBOM files using supported CycloneDX or SPDX formats.
    • Use the SBOM Workspace to review component inventories, license compliance, and vulnerability exposure.
    • Leverage dashboards and reports to monitor risks and compliance status.
    • Explore integrations with OSV.dev, Deps.dev, and Policy as Code Engine (PaCE) for enhanced vulnerability intelligence and policy enforcement.

    Identify the components used in your organization's applications from Software Bill of Materials (SBOM) files you upload into your instance. Understand any risks associated with using open-source software to help you determine your potential exposure, view license compliance, and fix vulnerabilities.

    Software Bill of Materials overview

    Third-party and open-source components provide you with many advantages for the rapid creation and release of your software projects. However, in some cases, there are risks associated with using publicly accessible components, such as the following:

    • Lack of visibility into component integrity
    • Vulnerabilities in the open-source software
    • Package Intelligence for open-source software
    • Non-compliant software licenses

    You can upload your software bill of material files via an API or manually. View the files that you import as entities, which are inventories of the third-party component libraries used in your software, including any transitive dependencies and available licensing information.

    For more information about what is included in the software inventories in CycloneDX and SPDX SBOMs, see CycloneDX - Software Bill of Materials (SBOM) and SPDX.

    Software Bill of Materials users

    Table 1. Users
    User Description
    Vulnerability managers and analysts View uploaded software bill of materials files in records, data visualizations, as well as enhanced vulnerability intelligence in the Software Bill of Materials (SBOM) Workspace.

    Vulnerability managers and analysts use this information to help them determine your software licensing compliance and the potential risk exposure with using open-source software.
    Users that might include but are not limited to:
    • Technology or software lawyers
    • IT managers
    • Auditors
    • Software asset managers and teams
    		 View uploaded proprietary and open-source software licenses for components of your uploaded SBOM files.

    Build a database of proprietary and open-source software licenses for the components.

    Review and classify licenses with missing information according to your internal or regulatory policies.

    Match your components to licenses and determine your overall license compliance and see your potential risk exposure to banned, restricted, or missing licenses.

    Software Bill of Materials workflow

    The SBOM applications enable you to upload files and view details for entities, component inventories, vulnerabilities, and software license information in the Software Bill of Materials (SBOM) Workspace.

    • Upload SBOM files with an API or manually.
    • Review the components in the SBOM file you uploaded in the SBOM Workspace.
    • Review component license information from uploaded SBOM files and classify them to help you identify your exposure to restricted or banned licenses.
    • Assess your risk exposure and create vulnerable items for components that have associated vulnerabilities.
    • View reports and dashboards as well as your overall license compliance for uploaded SBOM components on the Home page in the SBOM Workspace.

    Software Bill of Materials benefits

    Three Software Bill of Materials applications enable you to view an accurate inventory of your software components and associated risks:
    • Data Model for SBOM
    • SBOM Core
    • SBOM Response

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.

    Table 2. SBOM benefits
    Benefit Application Supported versions
    This application provides the tables used to store SBOM data. This application is required. It includes the tables, ACLs, and roles that are required to read SBOM data. Data Model for SBOM v4.0, v3.0, v2.0
    This application is required. It Includes the API required to upload SBOM documents and the business logic required to parse and import the data from those documents into your instance. You can view an inventory of your software components in the SBOM Workspace, but you cannot view the data visualizations on the landing page.

    Upload, parse, and process your software bill of materials files in CycloneDX and SPDX standards. Refer to the Supported versions column for the supported file formats and versions for these products. View bill of materials (BOM) entities and an inventory of your software components. A BOM entity is the root level component in an SBOM file. For example, for a CycloneDX SBOM, the component listed in the metadata is considered the BOM entity.

    		 SBOM Core

    v6.0, v5.0, v4.0

    Starting with version 4.0, SBOM Core supports:

    • XML and JSON versions 1.0 through 1.6 of CycloneDX.
    • JSON versions 2.2 through 2.3 of SPDX.
    • SBOM Response is required if you want access to the features and data visualizations on the landing page in the SBOM Workspace.
    • SBOM Response requires the Vulnerability Response application.
    • View your component inventory and assess your risk exposure in the SBOM Workspace. Set up rules to create application vulnerable items (AVITs) automatically and remediate them with the Application Vulnerability Response workflow.
    • View component license information that is uploaded with your SBOM files in the License administration module. Classify and resolve (match) the components you upload in your Application Vulnerability Response files to licenses so you can see the state of your over-all license compliance.
    • Starting with version 4.0 of Application Vulnerability Response Response, you can view components that are identified as stale or abandoned as ‘Non-compliant’ in the Policy as Code Engine (PaCE) interface that is available in the SBOM Workspace.

    • The OSV.dev and Deps.dev integrations are included when you install SBOM Response.

      • OSV.dev is an open-source API that provides vulnerability intelligence information for a given version of a package or library.
      • Deps.dev is an open-source API that provides a version list for a given package or library and identifies components that are in Stale and Abandoned states.

      See Configuring the Deps.dev, OSV.dev, and PaCE integrations for Software Bill of Materials for more information.

      See Integrating PaCE with other applications for more information about PaCE and PaCE policies.

    		 SBOM Response v6.0, v5.0, v4.0
    Generate and upload Software Bill of Materials (SBOM) files for software throughout its continuous integration and continuous deployment development cycles. SBOM Response
    • Data Model for SBOM: v1.4 and later.
    • SBOM Core: v3.0 and later.
    • SBOM Response: v4.0 and later.

    Vulnerability Response applications and CSDM tables

    The Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications manage (contribute data to) CSDM tables. These applications also use data from CSDM tables that other applications generate. Several ServiceNow products, therefore, benefit from and add value to these Security Operations applications. See Vulnerability Response applications and CSDM tables for more information.

    What to explore next

    To learn more about configuring and using Software Bill of Materials, see: