Exploring Software Bill of Materials

  • Release version: Xanadu
  • Updated February 26, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Software Bill of Materials

    ServiceNow’s Software Bill of Materials (SBOM) feature enables your organization to upload and analyze SBOM files to identify third-party and open-source components used in your software applications. This helps you understand associated risks, such as vulnerabilities and license compliance issues, ensuring better visibility and control over your software supply chain.

    Show full answer Show less

    SBOM files can be uploaded manually or via API and are processed to provide detailed inventories of components, including transitive dependencies and licensing information. The solution supports common SBOM standards such as CycloneDX and SPDX.

    Key Features

    • Component Inventory and Risk Assessment: View detailed lists of software components and assess potential exposure to vulnerabilities and non-compliant licenses.
    • License Compliance Management: Upload proprietary and open-source licenses, classify licenses according to internal or regulatory policies, and track compliance status to mitigate legal risks.
    • Integrated Vulnerability Intelligence: Access enhanced vulnerability data and automate the creation and remediation of vulnerable items through integration with Vulnerability Response applications.
    • Support for Industry Standards: Compatible with CycloneDX (XML and JSON) and SPDX SBOM formats, supporting multiple versions to ensure broad applicability.
    • Comprehensive Workspace and Reporting: Utilize the SBOM Workspace to view components, licenses, and vulnerability data, and generate reports and dashboards for ongoing monitoring.
    • Advanced Integrations: Includes integrations with OSV.dev and Deps.dev APIs for detailed vulnerability intelligence and identification of stale or abandoned components classified as non-compliant via the Policy as Code Engine (PaCE).

    Applications and Compatibility

    The SBOM functionality comprises three main ServiceNow applications:

    • Data Model for SBOM: Provides essential data tables, ACLs, and roles required to store and access SBOM data.
    • SBOM Core: Handles the uploading, parsing, and displaying of SBOM files; supports multiple SBOM file formats and versions.
    • SBOM Response: Enhances the SBOM Core with data visualizations, risk assessment capabilities, license classification, and links to Vulnerability Response workflows.

    SBOM Response requires the Vulnerability Response application to function fully and supports automatic remediation processes for vulnerable components.

    Intended Users

    • Vulnerability Managers and Analysts: Use SBOM data to identify risks, view vulnerabilities, and assess license compliance.
    • IT Managers, Auditors, and Legal Teams: Review and classify software licenses to ensure compliance with policies and regulations.
    • Software Asset Managers: Build and maintain a database of software components and licenses for governance and risk management.

    Benefits and Outcomes

    • Gain comprehensive visibility into the third-party and open-source components within your applications.
    • Identify and mitigate risks related to security vulnerabilities and license non-compliance.
    • Streamline vulnerability management workflows by integrating SBOM data with Vulnerability Response processes.
    • Support software supply chain governance with accurate, up-to-date inventories and compliance tracking.

    Next Steps

    To effectively implement and use the Software Bill of Materials capabilities, explore related resources on configuring SBOM applications, uploading and managing SBOM files, and utilizing the SBOM Workspace for reporting and monitoring.

    Identify the components used in your organization's applications from Software Bill of Materials (SBOM) files you upload into your instance. Understand any risks associated with using open-source software to help you determine your potential exposure, view license compliance, and fix vulnerabilities.

    Software Bill of Materials overview

    Third-party and open-source components provide you with many advantages for the rapid creation and release of your software projects. However, in some cases, there are risks associated with using publicly accessible components, such as the following:

    • Lack of visibility into component integrity
    • Vulnerabilities in the open-source software
    • Package Intelligence for open-source software
    • Non-compliant software licenses

    You can upload your software bill of material files via an API or manually. View the files that you import as entities, which are inventories of the third-party component libraries used in your software, including any transitive dependencies and available licensing information.

    For more information about what is included in the software inventories in CycloneDX and SPDX SBOMs, see CycloneDX - Software Bill of Materials (SBOM) and SPDX.

    Software Bill of Materials users

    Table 1. Users
    User Description
    Vulnerability managers and analysts View uploaded software bill of materials files in records, data visualizations, as well as enhanced vulnerability intelligence in the Software Bill of Materials (SBOM) Workspace.

    Vulnerability managers and analysts use this information to help them determine your software licensing compliance and the potential risk exposure with using open-source software.
    Users that might include but are not limited to:
    • Technology or software lawyers
    • IT managers
    • Auditors
    • Software asset managers and teams
    		 View uploaded proprietary and open-source software licenses for components of your uploaded SBOM files.

    Build a database of proprietary and open-source software licenses for the components.

    Review and classify licenses with missing information according to your internal or regulatory policies.

    Match your components to licenses and determine your overall license compliance and see your potential risk exposure to banned, restricted, or missing licenses.

    Software Bill of Materials workflow

    The SBOM applications enable you to upload files and view details for entities, component inventories, vulnerabilities, and software license information in the Software Bill of Materials (SBOM) Workspace.

    • Upload SBOM files with an API or manually.
    • Review the components in the SBOM file you uploaded in the SBOM Workspace.
    • Review component license information from uploaded SBOM files and classify them to help you identify your exposure to restricted or banned licenses.
    • Assess your risk exposure and create vulnerable items for components that have associated vulnerabilities.
    • View reports and dashboards as well as your overall license compliance for uploaded SBOM components on the Home page in the SBOM Workspace.

    Software Bill of Materials benefits

    Three Software Bill of Materials applications enable you to view an accurate inventory of your software components and associated risks:
    • Data Model for SBOM
    • SBOM Core
    • SBOM Response

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.

    Table 2. SBOM benefits
    Benefit Application Supported versions
    This application provides the tables used to store SBOM data. This application is required. It includes the tables, ACLs, and roles that are required to read SBOM data. Data Model for SBOM v4.0, v3.0, v2.0
    This application is required. It Includes the API required to upload SBOM documents and the business logic required to parse and import the data from those documents into your instance. You can view an inventory of your software components in the SBOM Workspace, but you cannot view the data visualizations on the landing page.

    Upload, parse, and process your software bill of materials files in CycloneDX and SPDX standards. Refer to the Supported versions column for the supported file formats and versions for these products. View bill of materials (BOM) entities and an inventory of your software components. A BOM entity is the root level component in an SBOM file. For example, for a CycloneDX SBOM, the component listed in the metadata is considered the BOM entity.

    		 SBOM Core

    v6.0, v5.0, v4.0

    Starting with version 4.0, SBOM Core supports:

    • XML and JSON versions 1.0 through 1.6 of CycloneDX.
    • JSON versions 2.2 through 2.3 of SPDX.
    • SBOM Response is required if you want access to the features and data visualizations on the landing page in the SBOM Workspace.
    • SBOM Response requires the Vulnerability Response application.
    • View your component inventory and assess your risk exposure in the SBOM Workspace. Set up rules to create application vulnerable items (AVITs) automatically and remediate them with the Application Vulnerability Response workflow.
    • View component license information that is uploaded with your SBOM files in the License administration module. Classify and resolve (match) the components you upload in your Application Vulnerability Response files to licenses so you can see the state of your over-all license compliance.
    • Starting with version 4.0 of Application Vulnerability Response Response, you can view components that are identified as stale or abandoned as ‘Non-compliant’ in the Policy as Code Engine (PaCE) interface that is available in the SBOM Workspace.

    • The OSV.dev and Deps.dev integrations are included when you install SBOM Response.

      • OSV.dev is an open-source API that provides vulnerability intelligence information for a given version of a package or library.
      • Deps.dev is an open-source API that provides a version list for a given package or library and identifies components that are in Stale and Abandoned states.

      See Configuring the Deps.dev, OSV.dev, and PaCE integrations for Software Bill of Materials for more information.

      See Integrating PaCE with other applications for more information about PaCE and PaCE policies.

    		 SBOM Response v6.0, v5.0, v4.0
    Generate and upload Software Bill of Materials (SBOM) files for software throughout its continuous integration and continuous deployment development cycles. SBOM Response
    • Data Model for SBOM: v1.4 and later.
    • SBOM Core: v3.0 and later.
    • SBOM Response: v4.0 and later.

    Vulnerability Response applications and CSDM tables

    The Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications manage (contribute data to) CSDM tables. These applications also use data from CSDM tables that other applications generate. Several ServiceNow products, therefore, benefit from and add value to these Security Operations applications. See Vulnerability Response applications and CSDM tables for more information.

    What to explore next

    To learn more about configuring and using Software Bill of Materials, see: