Exploring Software Bill of Materials

  • Release version: Zurich
  • Updated July 31, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Software Bill of Materials

    ServiceNow’s Software Bill of Materials (SBOM) capabilities enable organizations to upload and analyze SBOM files to identify third-party and open-source components within their software applications. This helps customers gain visibility into component integrity, understand potential vulnerabilities, and assess license compliance risks associated with open-source software usage. SBOM files can be uploaded manually or via API and are viewable in the SBOM Workspace, providing an inventory of components, dependencies, and licensing information.

    Show full answer Show less

    Key Features

    • Component Inventory and Visibility: Upload SBOM files in CycloneDX or SPDX formats to create detailed inventories of software components and their transitive dependencies.
    • Risk Assessment and Vulnerability Management: Assess potential exposure to vulnerabilities by linking component data with vulnerability intelligence in the SBOM Workspace. Set up rules to automatically create application vulnerable items and remediate them through Application Vulnerability Response workflows.
    • License Compliance Management: View and classify proprietary and open-source licenses associated with components. Identify missing, banned, restricted, or non-compliant licenses to ensure adherence to internal and regulatory policies.
    • Integrated Intelligence and Automation: Includes integrations with OSV.dev and Deps.dev APIs for enhanced vulnerability intelligence and component status (stale or abandoned) tracking. The Policy as Code Engine (PaCE) interface supports automated policy enforcement on license compliance and component status.
    • Comprehensive Workspace and Reporting: The SBOM Workspace provides detailed records, data visualizations, dashboards, and reports on component inventories, vulnerabilities, and license compliance.

    Key Applications and Compatibility

    • Data Model for SBOM: Core tables, ACLs, and roles for storing and accessing SBOM data. Required foundational application.
    • SBOM Core: Provides APIs and logic for parsing, importing, and viewing SBOM files. Supports CycloneDX (XML/JSON 1.0–1.6) and SPDX (JSON 2.2–2.3) formats.
    • SBOM Response: Enables full SBOM Workspace features including vulnerability response integration, license classification, and advanced reporting. Requires Vulnerability Response application.

    Practical Benefits for ServiceNow Customers

    • Gain accurate, automated inventories of software components and dependencies for better software governance.
    • Improve security posture by identifying and managing vulnerabilities linked to open-source components.
    • Ensure software license compliance and reduce risk of using restricted or non-compliant licenses.
    • Leverage integrated vulnerability intelligence and policy automation to streamline remediation workflows.
    • Support continuous integration and deployment (CI/CD) processes with automated SBOM generation and analysis.

    Next Steps

    To effectively implement and maximize SBOM capabilities, customers should explore configuration guides, learn how to upload and review SBOM files in the Workspace, and use the reporting tools to monitor component risks and license compliance continuously.

    Identify the components used in your organization's applications from Software Bill of Materials (SBOM) files you upload into your instance. Understand any risks associated with using open-source software to help you determine your potential exposure, view license compliance, and fix vulnerabilities.

    Software Bill of Materials overview

    Third-party and open-source components provide you with many advantages for the rapid creation and release of your software projects. However, in some cases, there are risks associated with using publicly accessible components, such as the following:

    • Lack of visibility into component integrity
    • Vulnerabilities in the open-source software
    • Package Intelligence for open-source software
    • Non-compliant software licenses

    You can upload your software bill of material files via an API or manually. View the files that you import as entities, which are inventories of the third-party component libraries used in your software, including any transitive dependencies and available licensing information.

    For more information about what is included in the software inventories in CycloneDX and SPDX SBOMs, see CycloneDX - Software Bill of Materials (SBOM) and SPDX.

    Software Bill of Materials users

    Table 1. Users
    User Description
    Vulnerability managers and analysts View uploaded software bill of materials files in records, data visualizations, as well as enhanced vulnerability intelligence in the Software Bill of Materials (SBOM) Workspace.

    Vulnerability managers and analysts use this information to help them determine your software licensing compliance and the potential risk exposure with using open-source software.
    Users that might include but are not limited to:
    • Technology or software lawyers
    • IT managers
    • Auditors
    • Software asset managers and teams
    		 View uploaded proprietary and open-source software licenses for components of your uploaded SBOM files.

    Build a database of proprietary and open-source software licenses for the components.

    Review and classify licenses with missing information according to your internal or regulatory policies.

    Match your components to licenses and determine your overall license compliance and see your potential risk exposure to banned, restricted, or missing licenses.

    Software Bill of Materials workflow

    The SBOM applications enable you to upload files and view details for entities, component inventories, vulnerabilities, and software license information in the Software Bill of Materials (SBOM) Workspace.

    • Upload SBOM files with an API or manually.
    • Review the components in the SBOM file you uploaded in the SBOM Workspace.
    • Review component license information from uploaded SBOM files and classify them to help you identify your exposure to restricted or banned licenses.
    • Assess your risk exposure and create vulnerable items for components that have associated vulnerabilities.
    • View reports and dashboards as well as your overall license compliance for uploaded SBOM components on the Home page in the SBOM Workspace.

    Software Bill of Materials benefits

    Three Software Bill of Materials applications enable you to view an accurate inventory of your software components and associated risks:
    • Data Model for SBOM
    • SBOM Core
    • SBOM Response

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.

    Table 2. SBOM benefits
    Benefit Application Supported versions
    This application provides the tables used to store SBOM data. This application is required. It includes the tables, ACLs, and roles that are required to read SBOM data. Data Model for SBOM v4.0, v3.0, v2.0
    This application is required. It Includes the API required to upload SBOM documents and the business logic required to parse and import the data from those documents into your instance. You can view an inventory of your software components in the SBOM Workspace, but you cannot view the data visualizations on the landing page.

    Upload, parse, and process your software bill of materials files in CycloneDX and SPDX standards. Refer to the Supported versions column for the supported file formats and versions for these products. View bill of materials (BOM) entities and an inventory of your software components. A BOM entity is the root level component in an SBOM file. For example, for a CycloneDX SBOM, the component listed in the metadata is considered the BOM entity.

    		 SBOM Core

    v6.0, v5.0, v4.0

    Starting with version 4.0, SBOM Core supports:

    • XML and JSON versions 1.0 through 1.6 of CycloneDX.
    • JSON versions 2.2 through 2.3 of SPDX.
    • SBOM Response is required if you want access to the features and data visualizations on the landing page in the SBOM Workspace.
    • SBOM Response requires the Vulnerability Response application.
    • View your component inventory and assess your risk exposure in the SBOM Workspace. Set up rules to create application vulnerable items (AVITs) automatically and remediate them with the Application Vulnerability Response workflow.
    • View component license information that is uploaded with your SBOM files in the License administration module. Classify and resolve (match) the components you upload in your Application Vulnerability Response files to licenses so you can see the state of your over-all license compliance.
    • Starting with version 4.0 of Application Vulnerability Response Response, you can view components that are identified as stale or abandoned as ‘Non-compliant’ in the Policy as Code Engine (PaCE) interface that is available in the SBOM Workspace.

    • The OSV.dev and Deps.dev integrations are included when you install SBOM Response.

      • OSV.dev is an open-source API that provides vulnerability intelligence information for a given version of a package or library.
      • Deps.dev is an open-source API that provides a version list for a given package or library and identifies components that are in Stale and Abandoned states.

      See Configuring the Deps.dev, OSV.dev, and PaCE integrations for Software Bill of Materials for more information.

      See Integrating PaCE with other applications for more information about PaCE and PaCE policies.

    		 SBOM Response v6.0, v5.0, v4.0
    Generate and upload Software Bill of Materials (SBOM) files for software throughout its continuous integration and continuous deployment development cycles. SBOM Response
    • Data Model for SBOM: v1.4 and later.
    • SBOM Core: v3.0 and later.
    • SBOM Response: v4.0 and later.

    Vulnerability Response applications and CSDM tables

    The Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications manage (contribute data to) CSDM tables. These applications also use data from CSDM tables that other applications generate. Several ServiceNow products, therefore, benefit from and add value to these Security Operations applications. See Vulnerability Response applications and CSDM tables for more information.

    What to explore next

    To learn more about configuring and using Software Bill of Materials, see: