Collecting software bill of materials

  • Release version: Australia
  • Updated May 1, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Collecting software bill of materials

    A Software Bill of Materials (SBOM) is a structured inventory listing all components, libraries, and dependencies in a software product, provided by the vendor. In ServiceNow’s Third-party Risk Management (TPRM), SBOM collection is used during due diligence to help risk teams assess potential exposures arising from third-party software components. SBOM data can be viewed within TPRM and Unified Security Exposure Management (USEM).

    Show full answer Show less

    SBOM files must conform to industry standards such as CycloneDX or SPDX and are typically submitted in JSON or XML formats. Files in unsupported formats like PDF or Word will cause parse errors. Vendors are responsible for generating and maintaining SBOM files; ServiceNow only collects, parses, and associates them with relevant records.

    SBOM Collection in Third-party Risk Management

    SBOM collection is triggered during the third-party due diligence process by selecting the SBOM required field on the due diligence request form. This associates an SBOM questionnaire template with the engagement-level external assessment, which is sent to the third party via the third-party portal.

    Upon submission, the uploaded SBOM is sent to the USEM SBOM API for parsing. Parsed component records are linked to the engagement and related third-party records. Different response paths, including error handling, are managed as part of the process.

    Roles such as third-party risk assessor, manager, and administrator can access the SBOM workspace to upload or update manufacturer data, provided they have edit access to the CMDB product model table. Assessment reviewers and internal reviewers can view SBOM component records but cannot access the SBOM workspace.

    Limitations

    • SBOM collection supports only the Smart Assessment Engine (SAE) workflow, not classic assessments.
    • Collection is performed at the engagement level, not directly at the third-party level.
    • Supported file formats are JSON and XML only; other formats cause parse errors and require resubmission.
    • Supported workflows include onboarding, renewal, and reassessment; offboarding is not supported.
    • SBOM data does not contribute to the overall TPRM risk score by default, but organizations can configure this behavior.
    • SBOM components link to the software manufacturer via the product model record; automated relationships to sub-vendors or subprocessors are not created.

    Feature Availability and Requirements

    SBOM collection capabilities depend on specific applications that must be installed and configured separately. Core due diligence workflows operate independently of SBOM processing.

    Required applications for collecting and processing SBOM files:

    • SBOM Core (snsbomcore)
    • Data Model for SBOM (snsbomdm)

    Additional applications are required to view vulnerability details related to SBOM components:

    • SBOM Response (snsbomresp)
    • Vulnerability Response (snvul)

    After installation, further configuration may be necessary to fully activate SBOM support.

    A software bill of materials provides an inventory of the components, libraries, and dependencies included in a vendor's software. Third-party Risk Management (TPRM) supports collecting SBOM files as part of the due diligence process.

    SBOM overview

    A software bill of materials (SBOM) is a structured inventory file generated by a software vendor that lists the components, libraries, and dependencies used in a product. Risk teams can use SBOM data to review declared components and assess potential exposure associated with those components. Parsed SBOM data can be viewed in TPRM or in Unified Security Exposure Management (USEM) (Unified Security Exposure Management). For more information about SBOM collection in Third-party Risk Management, see Exploring software bill of materials collection.

    SBOM files follow industry-standard formats and must conform to a supported SBOM standard, such as CycloneDX or SPDX. Vendors typically provide SBOM files in JSON format. XML formats are also supported. If a third party uploads a file in any other format, such as PDF or Word, the system returns a parse error. For details on preparing and formatting SBOM files, see the Unified Security Exposure Management (USEM) SBOM documentation.

    Note:
    The vendor generates and maintains SBOM files using their own tooling. The ServiceNow platform does not create or edit SBOM files. Third-party Risk Management collects, parses, and links the submitted file to related records.

    SBOM collection in Third-party Risk Management

    SBOM collection occurs during third-party due diligence. The SBOM required field on the third-party due diligence request form indicates when SBOM collection is required for an engagement. When selected, the system associates an SBOM questionnaire template with the external assessment for that engagement.

    The questionnaire is sent to an engagement contact through the third-party portal as part of the engagement-level external assessment. No additional assessments or alternate workflows are introduced as part of this process.

    When the assessment is submitted, post-assessment processing sends the uploaded file to the SBOM API, provided by Unified Security Exposure Management (USEM) (Unified Security Exposure Management). Parsed SBOM component records are then associated with the relevant engagement and, where applicable, the related third-party record. The outcome of processing depends on the third party's response. For details on each response path, including error handling and third-party decline, see Request a software bill of materials from an engagement. For troubleshooting API processing issues, see the Unified Security Exposure Management (USEM) SBOM documentation.

    The third-party risk assessor, third-party risk manager, and third-party administrator roles can access the SBOM workspace and upload or update manufacturer data. Third-party assessment reviewers can view SBOM component records on the engagement and third-party records but don't have access to the SBOM workspace. Internal reviewers don't have access to the SBOM workspace.

    Note:
    Users with access to the SBOM workspace also require edit access to the CMDB product model table to update the manufacturer field.

    Limitations

    The following constraints apply to SBOM collection:

    • Smart Assessment Engine (SAE) only: SBOM collection is supported only for engagements that use the Smart Assessment Engine. This feature does not support classic assessments.
    • Engagement-level collection: The SBOM questionnaire is associated with the engagement-level vendor risk assessment. This feature does not support collection at the third-party level directly.
    • Supported file formats: JSON and XML are supported. Submitting a file in any other format returns a parse error and reopens the assessment for resubmission.
    • Supported workflows: onboarding, renewal, and reassessment workflows are supported. For renewal and reassessment engagements, existing SBOM records can be updated rather than fully re-uploaded. This feature does not support offboarding.
    • Risk scoring behavior: information derived from SBOM components is not incorporated into the overall Third-party Risk Management risk score by default. Organizations can configure this behavior.
    • Component-to-vendor relationships: SBOM components reference the software manufacturer through the product model record. Automated relationships to sub-vendors or sub-processors are not established.

    Feature availability

    Availability of SBOM- related functionality depends on activated applications and configuration. The core due diligence workflow operates independently of SBOM processing.

    SBOM collection capabilities are available separately. Check your entitlements to determine whether you have access to SBOM collection capabilities. All required applications are available from the ServiceNow Store and must be installed individually.

    The following applications are required to collect and process SBOM files:

    • SBOM Core (sn_sbom_core)
    • Data Model for SBOM (sn_sbom_dm)

    The following additional applications are required to view vulnerability details associated with SBOM components:

    • SBOM Response (sn_sbom_resp)
    • Vulnerability Response (sn_vul)
    Note:
    Some SBOM capabilities require additional configuration after installation. For more information, see Activate SBOM support.