Exploring supported applications for Software Bill of Materials

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring supported applications for Software Bill of Materials

    The Software Bill of Materials (SBOM) applications in ServiceNow integrate with various supported ServiceNow and third-party applications to enrich vulnerability data and enhance the management of software components within your environment. These integrations enable you to identify stale or abandoned components and assess vulnerabilities effectively, improving your ability to prioritize and remediate risks related to software components.

    Show full answer Show less

    Key Features

    • Vulnerability Response Application: Required for installing the SBOM Response application. It provides essential vulnerability management features, including access to the Vulnerability Manager Workspace and workflows to remediate Application Vulnerable Items (AVITs).
    • Integration with National Vulnerability Database (NVD) and CWE: Enhances vulnerability severity data by importing trusted vulnerability intelligence, enriching the data associated with your SBOM files.
    • Veracode Vulnerability Integration: Supports importing SBOM files in CycloneDX and SPDX formats. When used with SBOM Response, it links vulnerabilities found in uploaded SBOM files, mapping them to the Bill of Materials records for better tracking and remediation.
    • GitHub Integration: Allows uploading SBOM files directly from GitHub repositories to the ServiceNow AI Platform. It supports verifying successful SBOM file queuing from CI/CD pipelines and enables proactive protection of development environments through GitHub Actions available in the GitHub Marketplace.

    Key Outcomes

    • Improved visibility into software components with up-to-date vulnerability intelligence.
    • Enhanced ability to prioritize vulnerability remediation using integrated workflows and workspaces.
    • Streamlined import and management of SBOM files from multiple sources, including Veracode and GitHub.
    • Protection of software development pipelines by detecting and preventing the use of vulnerable or abandoned components.

    Third-party vulnerability intelligence and other integrations with the Software Bill of Materials applications can enhance the data of your uploaded files.

    Supported applications benefits

    Third-party vulnerability intelligence and other integrations with the Software Bill of Materials applications permit you to view counts for components that are considered stale and abandoned, as well as information about if you can fix any vulnerabilities associated with components.

    The ServiceNow® applications and third-party integrations listed in the following table are supported by the SBOM applications. These applications provide you with enriched vulnerability data, vulnerability intelligence, and other key information that can help you view and prioritize the vulnerabilities associated with SBOM files. All these applications and integrations are available from the ServiceNow® Store.

    Table 1. Supported applications and third-party integrations
    Benefit Application Supported versions Users

    Vulnerability Response is required if you install the SBOM Response application. Install The Vulnerability Response application prior to installing SBOM Response.

    Application Vulnerability Response features are installed with Vulnerability Response. These features enable access to the Vulnerability Manager Workspace in the Vulnerability Response application and the vulnerability workflow to help you remediate application vulnerable items (AVIT)s.

    		 Vulnerability Response

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.
    View enhanced NVD vulnerability and severity data. View imported data from the NVD and CWE integrations to enrich any vulnerability data you might find in your SBOM data.

    See Importing data with the NVD and CWE integrations and managing third-party libraries for more information.

    		 Vulnerability Response Integration with NVD and SBOM Response

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.
    Import software bills of material files with the Veracode Vulnerability Integration. The Veracode Vulnerability Integration includes the following enhancements with Veracode SBOM files:
    • If you have installed SBOM Response, you have the option to include vulnerabilities found by SBOM for the SBOM files you upload.
    • SBOM is mapped to the Source field for records in the Bill of Materials [sn_sbom_doc] table for the SBOM SBOM files that you upload.

    See Veracode Vulnerability Integration for more information.

    		 Veracode Vulnerability Integration and SBOM Response

    Starting with version 4.3 of the Veracode Vulnerability Integration.

    If you have the Veracode Vulnerability Integration already installed, you can also upload imported Veracode SBOM data in CycloneDX (JSON and XML) and SPDX (XML) formats starting with version v3.0 of SBOM Core.

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.

    Upload SBOM files to the ServiceNow AI Platform from your GitHub repositories. Determine if SBOM files generated in your CI/CD (continuous integration and continuous delivery/deployment) pipelines have been successfully queued in your ServiceNow AI Platform instance.

    Protect your environments from potentially harmful components during software development cycles with GitHub Actions that you initiate from your GitHub environment.

    		 Obtain any required GitHub Actions for SBOM upload in the GitHub Marketplace. Starting with version 4.0 of SBOM Core.