Importing an SBOM

Your software bill of materials (SBOM) is the inventory of the components your software is built from. TraceUnified imports it from the standard formats, so the supply chain becomes part of the same connected record as everything else.

Standard formats

You import an SBOM in CycloneDX or SPDX — the two widely adopted SBOM standards — so whatever your build tooling produces can be brought in without reshaping it by hand. Importing reads the document and turns each entry into a component record in the project.

Components keyed by package URL

Components are identified by their package URL (purl) — the standard, ecosystem-aware identifier for a package and version. Keying on purl means a component is matched precisely (the right package, in the right ecosystem, at the right version), which is what makes accurate vulnerability and license analysis possible downstream.

Part of the project

Once imported, the SBOM isn’t a file attached to the project — its components are real records that live in the SBOM module and participate in the thread, ready to be linked to the risks they pose and the tests that cover them. The import brings your dependencies into the governed system rather than leaving them in a build artifact.

Keeping it current

Software changes, and so does its bill of materials. Re-importing an updated SBOM keeps the component inventory in step with your builds, so the analysis reflects what you actually ship. What the imported components look like is covered next in Components, and how they’re checked for known issues in Vulnerabilities.