CVEium
Sign Up

Uploading SBOMs

Upload CycloneDX or SPDX SBOMs, understand parsing and validation, and trigger vulnerability scanning.

How to upload

  1. Navigate to a release page
  2. Open the SBOM tab
  3. Click Upload SBOM
  4. Select a CycloneDX or SPDX JSON file from your computer
  5. CVEium validates and processes the file

What happens during upload

When you upload an SBOM, CVEium CIS:

  1. Detects the format: Identifies whether the file is CycloneDX or SPDX based on the JSON structure
  2. Validates the file: Checks that the JSON is well-formed and follows the expected schema
  3. Extracts components: Parses out all software components with their names, versions, Package URLs (PURLs), types, licenses, and suppliers
  4. Computes a file hash: Generates a SHA-256 hash of the original file for integrity verification
  5. Triggers CVE scanning: Creates a match job that compares your components against the CVE database

Generating SBOMs

CVEium CIS does not generate SBOMs. You need to create them using an SBOM generation tool as part of your build process. Common tools include:

  • Syft (Anchore): Generates CycloneDX and SPDX from container images and filesystems
  • Trivy (Aqua Security): Security scanner that can output CycloneDX SBOMs
  • CycloneDX CLI: Official CycloneDX tooling for various ecosystems
  • SPDX Tools: Official SPDX generation tools

Replacing an SBOM

To update the SBOM for a release:

  1. Delete the existing SBOM using the Delete button
  2. Upload the new SBOM file

Deleting an SBOM removes all associated vulnerabilities and dispositions. If you have already triaged vulnerabilities, consider creating a new release version instead.

Upload restrictions

  • Only JSON files are accepted (not XML or other formats)
  • The release must not be locked
  • Your account must be within SBOM usage limits for your subscription plan
  • One SBOM per release