SBOM Core Response release notes

  • Release version: Store
  • Updated June 11, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of SBOM Core Response release notes

    The SBOM Core Response application in ServiceNow provides comprehensive management and processing of Software Bill of Materials (SBOM) files, supporting CycloneDX and SPDX standards. It enables organizations to maintain an accurate, searchable inventory of open-source components used in their environment, enhancing vulnerability response and software supply chain security.

    Show full answer Show less

    Key Features and Improvements

    • SBOM Parsing and Standards Support: Supports CycloneDX (XML/JSON formats, versions up to 1.6) and SPDX (JSON format up to v2.3). The parser has been enhanced to handle complex relationships, license information, and component types including platform, data, device driver, cryptographic, and machine learning models.
    • Performance and Reliability Enhancements: Improved SBOM ingestion performance through caching, optimized database transactions, and bulk processing of BOMs to increase throughput and reduce processing times.
    • Error Handling and Visibility: Added automatic timeout handling for stuck BOM records and improved error message capture on queue records for quicker diagnostics without manual log analysis.
    • UI and Usability Enhancements: Enhanced the SBOM Workspace with bulk delete capabilities for BOM entities and their related components, with automatic closure of associated Application Vulnerable Items (AVITs). UI accessibility improvements align with platform standards.
    • Data Model Extensions: Introduction of the [snsbompkggrp] table to uniquely manage package groups, with ACLs to control access and references within BOM components. This supports better organization and tracking of library components.
    • Localization and Internationalization: Failure messages from the CycloneDX parser are now fully translatable, improving usability in multilingual environments.
    • Integration and Automation: Support for GitHub Actions to verify SBOM file queuing in CI/CD pipelines, facilitating automated supply chain security checks.
    • Vendor SBOM Handling: Resolved issues that previously caused errors during third-party SBOM uploads, allowing seamless ingestion without manual intervention.

    Practical Benefits for ServiceNow Customers

    • Maintain a reliable, up-to-date inventory of all open-source components to support vulnerability management and compliance efforts.
    • Improve operational efficiency with automated processing, error handling, and bulk management capabilities, reducing manual tasks.
    • Gain better insight into SBOM processing metrics and failure reasons, enabling faster troubleshooting and improved system reliability.
    • Ensure compatibility with multiple SBOM standards and versions, supporting diverse software ecosystems.
    • Leverage enhanced data models and UI improvements to better organize component data and streamline workflows in the SBOM Workspace.

    Version history for the Vulnerability Response SBOM Core application on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 6.3.2 - June 2026
    • Fixed:
      • SPDX entity-to-component relationships restored — An issue where the SPDX parser previously created relationships only from the explicit relationships block, so SPDX BOMs that rely on the package list to imply dependencies showed almost no "Depends on" data on the BOM entity record, for example, ~171 dependencies instead of the expected ~2500. The parser now performs an additional pass that creates an entity-to-component relationship for every non-root package, matching the existing CycloneDX behavior.
      • Vendor SBOM upload errors  — Resolved errors raised during vendor SBOM uploads so SBOMs supplied by third parties can be ingested without manual intervention.
      • VR BOM Entries deletion restored — The background-job configuration that drives VR BOM Entries deletion was packaged under a folder name that no longer matched the SBOM Sec Common plugin. The folder has been renamed so the background job is recognized again and BOM-entry deletion runs as expected.
      • Localized failure messages — The CycloneDX parser's "failed components" message is now produced as complete translatable sentences with numbered parameters, so the message is fully translatable.
    Version 6.3.1 - April 2026
    • New:
      • Automatic timeout handling for BOM records
        • Implemented automatic timeout handling for BOM records that remain stuck in the processing state for more than an hour. The system now tracks processing metrics by populating processing_startedtimestamp when BOM processing begins and calculating processing_durationwhen processing completes, times out, encounters errors, or is skipped, providing better visibility into BOM processing performance and reliability.
    • Fixed: An issue where BOM processing failures updated the queue record status but left the error message field empty or generic. Error reasons are now properly captured on BOM queue records, providing you with immediate visibility into failure causes without requiring you to analyze error logs.
    Version 6.2.2 - December 2025
    • Changed: Improved UI accessibility by rectifying heading hierarchy, updating the labels, and aligning components with the latest platform standards.
    • Fixed
      • Fixed CycloneDX v1.6 author parsing logic to ensure stable and compliant SBOM processing.
      • Fixed SBOM import failures by rectifying the license-handling logic during SBOM processing.
    Version 6.1.1 - August 2025
    • New:
      • Implemented caching improvements for frequently accessed data with optimized upsert operations for contacts, component relationships, BOM-component mappings, and license information.
      • Added two new scheduled jobs: an hourly job to process components with non-empty unprocessed_sbom_data, parsing and storing the information in appropriate tables before clearing the field
      • Enhanced BOM processing job that now handles all queued BOMs in a single execution instead of one at a time, significantly improving system throughput.
    Version 6.0.6 - May 2025
    • Fixed:
      • Fixed issue with SBOM API upload throwing "Unsupported BOM format" error; SBOM files now upload successfully without content type issues.
      • The CycloneDX parser is refactored to improve SBOM ingestion performance by reducing database transactions, implementing an LRU cache, and improving extensibility through modular parsing functions for different CycloneDX model properties.
    Version 6.0.3 - February 2025
    • New:
      • Improvements to the Software Bill of Materials Workspace permit you to delete multiple BOM entity records and their related components from the Home (landing) page with bulk edit.
      • Any Application Vulnerable Items (AVIT)s that are associated with the BOM entities you delete automatically transition to 'Closed'.
    Version 5.0.5 - December 2024
    Minor fixes for this release.
    Version 5.0.4 - November 2024
    • New: SBOM parser and validation improvements for the SBOM file upload.
    • Changed: Updates to the SBOM upload modal to include the "Business application" and "Product model" attributes.
    Version 4.0.4 - August 2024
    • New:
      • Improvements to support SBOM files in CycloneDX format:
        • Activate the (sn_sbom_core.collect_properties) property to import information that is generally not supported.
        • View imported component data for declared and concluded licenses for SBOM files in versions 1.4 and later of CycloneDX.
        • SBOM parsing support is improved for the following CycloneDX versions and component types: Version 1.5 - Platform, Data, Device driver, Machine Learning model. Version 1.6 - Cryptographic.
        • Use GitHub Actions in your GitHub environment to determine if SBOM files generated in your CI/CD (continuous integration and continuous delivery/deployment) pipelines have been successfully queued in your ServiceNow AI Platform instance.
    Version 3.0.3 - May 2024
    • New:
      • Upload SBOM files for the CycloneDX and SPDX standards.
      • XML and JSON formats are supported for CycloneDX for versions up to and including v1.4.
      • JSON format is supported for SPDX for versions up to and including v2.3.
    Version 2.1.1 - February 2024
    • New:
      • View the SBOM inventory in the SBOM Workspace.
      • Component information displayed on the application vulnerable item (AVIT) record.
      • PURL validation support.
    Version 2.0.2 - November 2023
    • New:
      • Created the [sn_sbom_pkg_grp] table for the Data Model.
        • Package manager and name is the unique key for this table.
        • Added ACLs on the table for the sn_sbom_dm.app_read role.
        • Records are created and updated by scripts, but you cannot create, write, or delete the data.
      • Added a report view ACL with the sn_sbom_dm.app_read role.
      • Added a reference to the package group table on the BOM Component table.
      • Updated the CycloneDX parser so it identifies the package group and populates its information into the [sn_sbom_pkg_grp] table. For each component of the type, 'library' the parser:
        • Determines and populates the package manager, name, and base PURL in the package group table.
        • Updates the Package group reference on that component's record.
    Version 1.0.8 - September 2023
    • New: Added the BOM Entities related list on the component form. You can see all the BOM entities that the component is used in on this related list.
    • Fixed: You can manually upload BOM documents as expected.
    Version 1.0.5 - August 2023
    Initial release: SBOM Core helps organizations maintain the searchable inventory of all the open-source components used in their environment.