SBOM Generation & Vulnerability Tracking

Overview

Practice of emitting a Software Bill of Materials (CycloneDX, SPDX) as a first-class build artifact and continuously scanning the dependency graph for known CVEs. Increasingly mandated by US Executive Order 14028 procurement rules and the EU Cyber Resilience Act.

Benefits

• Compliance with EU CRA and US federal procurement rules
• Faster CVE response when a transitive dependency is disclosed
• Visibility into supply-chain risk that was previously invisible
• Enables coordinated disclosure with regulators and customers

Limitations & Risks

• Embedded SBOM tooling for C/C++ build graphs is still maturing
• Vendor-supplied binary blobs and pre-built RTOS components are hard to ingest accurately
• Scanning produces noise that needs triage discipline

Recommended Actions

Pilot a CycloneDX-emitting build (CMake and west have plugins), wire output into a vulnerability tracker like Dependency-Track or OSV-Scanner, and treat unresolved high-severity findings as a release gate before regulatory deadlines force the issue.

Additional Notes

EU CRA enforcement begins December 2027 but design-phase impact is now. Pairs directly with Coding-Standard Enforcement and DevSecOps.

References & Links

• https://www.cisa.gov/sbom
• https://cyclonedx.org/
• https://dependencytrack.org/