# sbom-management.com

> Comprehensive guide to SBOM (Software Bill of Materials) management under the EU Cyber Resilience Act (Regulation 2024/2847). Covers mandatory content requirements, CycloneDX vs SPDX format selection, CI/CD pipeline integration, VEX vulnerability handling, and the 24-hour incident reporting workflow. Written for manufacturers of products with digital elements, DevSecOps teams, and product security engineers.

## Pages

- [SBOM Management Guide](https://sbom-management.com/): Main guide covering SBOM requirements under the EU CRA, format comparison, CI/CD integration, and tool landscape
- [SBOM Management Guide (German)](https://sbom-management.de/): Deutsche Version des SBOM-Management-Leitfadens

## Additional Pages

- [CRA SBOM Compliance Checklist](https://sbom-management.com/checklist.html): 5-phase step-by-step checklist for SBOM compliance under the EU Cyber Resilience Act — from product inventory to CE conformity assessment
- [SBOM Tools Comparison 2026](https://sbom-management.com/tools.html): Feature comparison of 12 open-source and commercial SBOM tools (Syft, Trivy, Dependency-Track, Snyk, Sonatype and more), decision matrix by company size, regulatory coverage analysis
- [SBOM Glossary](https://sbom-management.com/glossary.html): 28+ definitions covering SBOM, CRA, VEX, purl, CycloneDX, SPDX, and supply chain security terminology

## Sections

- [What belongs in an SBOM](https://sbom-management.com/#sbom-content): NTIA minimum elements, top-level vs transitive dependencies, purl/CPE identifiers
- [CycloneDX vs SPDX](https://sbom-management.com/#cyclonedx-vs-spdx): Format comparison, VEX integration, license metadata, ecosystem fit
- [SBOM in CI/CD](https://sbom-management.com/#sbom-cicd): Automated generation, signing with cosign, retention obligations, OCI artefacts
- [Tool landscape](https://sbom-management.com/#sbom-tools): Syft, cdxgen, Trivy, Snyk, Sonatype, JFrog, FOSSA, Anchore, Dependency-Track
- [FAQ](https://sbom-management.com/#faq): Common questions about SBOM requirements, formats, and tooling

## Key facts

- EU Cyber Resilience Act: Regulation (EU) 2024/2847, Annex I Part II point 1
- Full CRA application date: 11 December 2027
- CRA vulnerability reporting starts: 11 September 2026
- Accepted SBOM formats: CycloneDX (OWASP), SPDX (Linux Foundation, ISO/IEC 5962:2021)
- Minimum required: top-level dependencies in machine-readable format
- Best practice: full transitive dependency graph with SHA-256 hashes
- US baseline: Executive Order 14028 (12 May 2021)
- M