A Software Bill of Materials (SBOM) is a foundational element of modern supply chain security and a core requirement for compliance under the Cyber Resilience Act (CRA). The CVD Portal features a comprehensive SBOM Registry, providing a centralized repository for tracking the third-party libraries, open-source components, and proprietary code that make up your software products.
The registry allows you to import standard SBOM formats (such as SPDX and CycloneDX) generated by your build pipelines. Once ingested, you can run an on-demand CVE scan from any submission detail page — the portal queries the National Vulnerability Database (NVD) for each registered component and surfaces matching vulnerabilities with CVSS scores. The Threat Intelligence page also automatically surfaces your top SBOM components in the live NVD feed, giving you a real-time view of newly published CVEs affecting your stack.
Maintaining an accurate and up-to-date SBOM Registry is essential for rapid incident response. When a major vulnerability (like Log4Shell) is disclosed, the registry allows you to instantly determine which of your products are affected and where the vulnerable component is located. This comprehensive visibility is crucial for demonstrating control over your software supply chain and fulfilling regulatory obligations regarding component transparency.