SBOM Response release notes
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of SBOM Response release notes
The SBOM Response application on the ServiceNow Store delivers comprehensive capabilities to manage and mitigate risks associated with open-source and vendor-supplied software components through Software Bill of Materials (SBOM). It integrates vulnerability intelligence, license compliance management, and policy enforcement within the ServiceNow platform, empowering customers to maintain software security and compliance efficiently.
Show less
Key Features
- Vulnerability and Component Management: Track vulnerabilities with integrations to OSV.dev, Deps.dev, and third-party sources like Snyk. The application provides detailed views of components, their current and latest versions, and associated vulnerabilities (CVEs and CWEs), supporting informed risk decisions.
- SBOM File Support: Upload SBOM files in CycloneDX (XML/JSON) and SPDX (JSON) formats to import and manage bill of materials data.
- License Compliance: Classify licenses as Permitted, Restricted, Banned, or Unclassified, and assign licenses to components to monitor license compliance and risk exposure.
- Policy as Code Engine (PaCE): Identify and mark stale or abandoned components as Non-compliant, enabling proactive compliance enforcement.
- Application Vulnerable Items (AVITs): Manage AVIT lifecycle with features like bulk deletion of BOM entities, automatic AVIT status transitions, and enhanced overview records displaying detailed vulnerability and component data.
- Performance and Usability Enhancements: Improved load times for SBOM workspace modules, accessibility fixes, and interface improvements such as truncation of titles and language preference consistency.
- Security and Platform Compliance: Enhancements aligned with ServiceNow Platform Security guidance, including read-only dictionary fields and plugin-specific fix scripts to prevent conflicts.
Practical Impact for ServiceNow Customers
- Gain better visibility into software component risks and vulnerabilities through integrated intelligence sources.
- Streamline compliance management with license classification and assignment capabilities.
- Enhance risk mitigation workflows by managing AVITs effectively, including bulk operations and automatic status updates.
- Leverage policy enforcement to identify non-compliant components and enforce governance.
- Benefit from improved platform security compliance and smoother upgrade experiences thanks to version-specific fixes and enhancements.
Version Highlights
- 6.5.3 (June 2026): Security alignment, improved vendor SBOM upload reliability, and read-only dictionary fields.
- 6.0.1 (February 2025): Bulk deletion of BOM entities with automatic AVIT closure.
- 5.0.3 (November 2024): License compliance management enhancements.
- 3.2.3 (May 2024): Support for CycloneDX and SPDX SBOM file standards and performance improvements.
- 3.0.3 (November 2023): Integration support for OSV.dev and Deps.dev vulnerability intelligence.
- 2.0.5 (August 2023): Initial release providing risk visibility and response workflows for open-source components.
Version history for the Vulnerability Response Data Model for SBOM application on the ServiceNow Store.
Important:
For details on system requirements and family compatibility, view the application
listing on the ServiceNow Store
website.
Version history
- Version 6.5.3 - June 2026 (USEM)
-
- The following enhancements and changes support internal security directives:
- Enhancements to the SBOM Response plugin to align with ServiceNow Platform Security guidance.
- Read-only dictionary fields for SBOM Response tables.
- Fix script renamed to a per-plugin name to prevent update set conflicts with other SBOM plugins.
- Fixed: Vendor SBOM upload reliability — Resolved an error that occurred when uploading vendor-supplied SBOMs.
- The following enhancements and changes support internal security directives:
- Version 6.5.2 - April 2026
- Fixed: UI action buttons on the BOM entity details page are visible regardless of your selected language preference.
- Version 6.4.1 - December 2025
- Fixed:
- Fixed an issue where titles in the All BOM Entity widget wrapped vertically instead of truncating properly when the page was resized.
- Fixed multiple accessibility issues across the SBOM workspace, including heading structure, content alignment, and layout behaviour at various screen sizes.
- Fixed:
- Version 6.3.2 - September 2025
- Fixed: Resolved vulnerability visibility issue by removing redundant active status filter from component vulnerabilities relationship. As a result, vulnerabilities are now visible in the vulnerabilities tab.
- Version 6.3.1 - August 2025
-
- Fixed:
- Fixed an issue in the OSVAPIIntegration script where the integration failed with an error. OSV API that lacked the expected results key. The script now safely checks for the existence of results before accessing it, ensuring the integration handles empty or malformed responses gracefully without breaking.
- Fixed a display issue in the component widget where the count was incorrectly showing as 0 in the summary view. Upon investigation, it was determined that while the drill-down view displayed the correct component count, the main widget consistently showed zero. This has been resolved, and the component widget now accurately reflects the true component count at all levels of the interface.
- Fixed:
- Version 6.2.2 - June 2025
- Fixed an issue in OSV integration where conflicts arose with existing NVD entries due to CVE IDs in the payload, resulting in broken component-vulnerability links. The integration now handles such cases to prevent duplicate or invalid records. Improvements to deps.dev Integration - Optimized the sorting logic for package version lists and replaced the onComplete script with a Business Rule triggered on version updates, improving performance and accuracy in stale/abandoned package detection. OSV Integration Optimization - Removed unnecessary caching to reduce memory usage and prevent potential out-of-memory issues during large data processing. Business Application Population Enhancement - Now populating business_application on AVIT and app release records only when the associated component has a business application, aligning with customer requirements.
- Version 6.1.0 - May 2025
- Fixed an issue where AVI counts on components were not updating after AVIT creation via SBOM AVI rules.
- Version 6.0.1 - February 2025
-
- New:
- Improvements to the Software Bill of Materials Workspace permit you to delete multiple BOM entity records and their related components from the Home (landing) page with bulk edit.
- Any Application Vulnerable Items (AVIT)s that are associated with the BOM entities you delete automatically transition to 'Closed'.
- New:
- Version 5.0.5 - December 2024
- Minor fixes for this release.
- Version 5.0.3 - November 2024
-
- New:
- Improvements to the SBOM Response application to help you determine your over-all license compliance and risk exposure to the open-source and vendor-supplied software components you use in your application development:
- View all the licenses that are used in your organization in the License administration module.
- Classify existing licenses as: "Permitted", "Restricted", "Banned", or "Unclassified", and create new licenses.
- For unassigned or missing licenses, you can manually assign licenses to components used by your applications.
- Improvements to the SBOM Response application to help you determine your over-all license compliance and risk exposure to the open-source and vendor-supplied software components you use in your application development:
- New:
- Version 4.0.5 - October 2024
-
- New:
- 'Closed' AVITs will not transition to 'Open' if AVITs have the substates: 'Mitigation Control in Place', 'Not Affected', or 'False Positive'.
- The sn_sbom_resp.reopen_avits_if_detected system property for this feature is activated by default.
- Set the value of the sn_sbom_resp.reopen_avits_if_detected system property to 'false' if you do not want 'Closed' AVITs to reopen automatically.
- New:
- Version 4.0.3 - August 2024
- New: View components that are identified as stale or abandoned as Non-compliant' in the Policy as Code Engine (PaCE) interface that is available in the SBOM Workspace.
- Version 3.3.0 - June 2024
- New: Data Model changes to accommodate the Vulnerability Intelligence integration.
- Version 3.2.3 - May 2024
-
- New:
- Upload SBOM files for the CycloneDX and SPDX standards.
- XML and JSON formats are supported for CycloneDX for versions up to and including v1.4.
- JSON format is supported for SPDX for versions up to and including v2.3.
- Performance enhancements in the SBOM Workspace for the BOM Entities and Components pages. You might experience faster load times for the Home and Components modules in the SBOM Workspace.
- New:
- Version 3.1.3 - February 2024
-
- New:
- Updated Overview tab for the application vulnerable item (AVIT) record enables you to view the following data:
- Details.
- Associated vulnerability.
- SBOM component.
- Discovered application.
- Added the Fixed versions related list on the AVIT record.
- Updated Overview tab for the application vulnerable item (AVIT) record enables you to view the following data:
- Changed:
- Enhancements to integration processing for OSV.dev and Deps.dev.
- Condition builder on the AVIT creation rules form that enables you to add rule conditions for applications, vulnerabilities, business application, and components.
- Removed: Deactivated remediation task rules for SBOM AVITs. You can activate this feature for SBOM AVITs with a system property.
- New:
- Version 3.0.3 - November 2023
-
- New:
- Supports the Deps.dev and OSV.dev integrations that are included with the SBOM Response application that you can run on-demand.
- OSV.dev provides vulnerability intelligence information for a given version of a package or library.
- Deps.dev provides a version list for a given package or library and package intelligence for Stale and Abondoned components.
- Supports the third-party Snyk Vulnerability Insights integration that can provide you with information for how to fix components with vulnerabilities. This integration is not included with SBOM Response but is available in the ServiceNow Store.
- Uploaded data extracted from these vulnerability intelligence integrations is dispalyed on the SBOM Response workspace dashboard and in the list and form views of the components.
- View components that are 'Stale' and 'Abandoned'.
- View the current and latest versions of the BOM Components.
- View Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) data for components broken down by severity.
- Supports the Deps.dev and OSV.dev integrations that are included with the SBOM Response application that you can run on-demand.
- New:
- Version 2.0.6 - September 2023
-
- New:
- The data model is updated so it supports the Vulnerability Intelligence use case.
- Discovered application and SBOM component are two new fields displayed on the AVI form.
- Mark as false positive and Request exception are supported on AVIs in the SBOM Workspace.
- Changed:
- Fewer fields are supported in the condition builder for AVI creation rules in the SBOM Workspace.
- New:
- Version 2.0.5 - August 2023
- Initial release: SBOM Response provides you with visibility into the risks with using open-source components in your organization. You can respond to identified risks with the workflow and automation capabilities of the NOW Platform.