Workflow

SBOM Pipeline

Parse, validate, store, and surface a Software Bill of Materials across the CRA product register, vulnerability workflow, and Annex VII export.

Owner: CRA TeamLast reviewed: 2026-04-14

Formats

CycloneDX · SPDX

1.5+ JSON/XML · 2.3+ JSON

Max size

10 MB

Per upload · multipart

Staleness

90 days

Warn · do not block · per-product override

Signed URL

1 hour

Requester's org scope only

Rendering diagram…
SBOM upload, validation, normalization, and downstream uses.

Supported Formats

  • CycloneDX 1.5+ — JSON or XML. Required fields: bomFormat: "CycloneDX", specVersion, components[].
  • SPDX 2.3+ — JSON. Required fields: spdxVersion: "SPDX-2.3", packages[].
  • Max file size 10 MB; compressed SBOMs (.json.gz) are accepted and inflated server-side up to the same limit.

End-to-End Flow

  1. UploadPOST /api/cra/products/[id]/sbom with multipart/form-data. RBAC: Control Owner on the product, or Compliance Officer / Admin / Owner.
  2. Sniff & parse — the first bytes distinguish JSON vs XML; the server parses strictly (no eval, no external entities).
  3. Detect & validate— schema selected from top-level fields, then validated against the format's JSON Schema / XSD.
  4. Normalize — components flattened into a uniform record: name, version, purl, cpe, licenses[], hashes[], supplier.
  5. Store file — raw artifact at sbom/{orgId}/{productId}/{timestamp}-{filename}.
  6. Store components — normalized rows in SBOMComponent with indexes on purl and cpe for fast CVE matching.
  7. Mark productCRAProduct.sbomGenerated = true, sbomLastUpdated = now(); staleness badge recomputes.
  8. ServeGETon the same endpoint returns a 1-hour signed URL scoped to the requester's org.

Vulnerability Matching

Every indexed component flows into the CVE matcher. When a new CVE arrives (via the scheduled feed pull) its listed CPEs are intersected with the SBOMComponent index; matches upsert into the vulnerability register with a product + component link and inherited severity.

Rendering diagram…
CVE ↔ SBOM component matcher.

Downstream Uses

  • Annex VII package — auto-populated with the current SBOM for the product.
  • Vulnerability register — CVE ↔ component matches create and enrich entries.
  • Customer / supplier disclosures — exportable as the stored raw artifact or as a redacted subset.
  • Compliance score — products without a fresh SBOM contribute a penalty to the CRA domain score.

Why 90 days

CRA and most industry guidance treat an SBOM older than a quarter as stale. OneComply surfaces a badge and a re-upload action but does not block — the threshold is configurable per product.

Access & Permissions

  • Upload / replace — Control Owner of the product, Compliance Officer, Admin, Owner.
  • View metadata — any role with read on the parent product.
  • Download raw artifact — same as view; URL is single-use, expires in 1 hour.
  • Delete — Admin / Owner only; the artifact is soft-deleted and the product flagged back to sbomGenerated = false.

Error Reference

  • 400 unsupported_format — neither CycloneDX nor SPDX detected.
  • 400 schema_invalid — parse OK but schema validation failed (details returned).
  • 413 too_large — raw or inflated size exceeds 10 MB.
  • 409 duplicate — same content hash already stored for this product.
  • 403 wrong_productproductId does not belong to the active org.

Continue reading

CRA Framework

Product register, Annex VII, ENISA reporting.

Evidence Pipeline

Upload → map → audit export flow.

Incident Reporting

DORA Art. 19 and ENISA Art. 14 timelines.