Enterprise Software Supply Chain Manager (ESSCM)IntegrationsExisting SBOM
Existing SBOM
Upload and analyze existing SBOMs from other tools
Existing SBOM Integration
Upload existing Software Bills of Materials created by other tools for enrichment, vulnerability analysis, and continuous monitoring.
Overview
Import SBOMs to:
- Analyze SBOMs from vendors
- Enrich with additional vulnerability data
- Monitor for new vulnerabilities over time
- Validate SBOM quality and completeness
- Convert between SBOM formats
Supported Formats
CycloneDX
| Version | JSON | XML | Status |
|---|---|---|---|
| 1.6 | ✅ | ✅ | Full Support |
| 1.5 | ✅ | ✅ | Full Support |
| 1.4 | ✅ | ✅ | Full Support |
| 1.3 | ✅ | ✅ | Full Support |
SPDX
| Version | JSON | Tag-Value | RDF | Status |
|---|---|---|---|---|
| 2.3 | ✅ | ✅ | ✅ | Full Support |
| 2.2 | ✅ | ✅ | ✅ | Full Support |
Other Formats
| Format | Status |
|---|---|
| Syft JSON | ✅ Converted to CycloneDX |
| Trivy JSON | ✅ Converted to CycloneDX |
| Grype JSON | ✅ Vulnerability data imported |
Upload Process
Step 1: Navigate to Integrations
- Go to the Integrations page
- Click Connect on the Upload SBOM card
Step 2: Enter Project Details
| Field | Description |
|---|---|
| Project Name | Name for this SBOM |
| Version | Version identifier |
| Description | Optional description |
| Format | Select SPDX or CycloneDX (auto-detected if not specified) |
Step 3: Upload SBOM File
- Drag and drop your SBOM file, or click Browse
- Supported formats:
.json,.xml,.spdx,.rdf - Maximum file size: 100MB
Step 4: Review and Submit
- Review detected format and component count
- Click Upload SBOM
- Safeguard.sh processes and enriches the SBOM
What Happens After Upload
1. Validation
Safeguard.sh validates the SBOM for:
- Format compliance (valid JSON/XML)
- Schema validation (CycloneDX/SPDX spec)
- Required fields present
- Component data quality
2. Enrichment
The SBOM is enriched with:
- Vulnerability data - CVE matching for all components
- EPSS scores - Exploit probability predictions
- KEV status - CISA Known Exploited Vulnerabilities
- License information - License identification and compliance
- Supplier data - Package maintainer information
3. Analysis
Griffin AI analyzes:
- Attestation scoring - Component integrity assessment
- Risk scoring - Overall risk calculation
- Reachability - Vulnerability exploitability analysis
- Dependency health - Maintenance and community metrics
CLI Upload
Upload SBOMs using the CLI:
# Upload a CycloneDX SBOM
safeguard sbom upload --file sbom.json --name "My App" --version "1.0.0"
# Upload an SPDX SBOM
safeguard sbom upload --file sbom.spdx --name "My App" --version "1.0.0" --format spdx
# Upload with auto-detection
safeguard sbom upload --file sbom.json --name "My App" --version "1.0.0" --format autoAPI Upload
Upload via REST API:
curl -X POST https://api.safeguard.sh/v1/sbom/upload \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "My Application",
"version": "1.0.0",
"format": "cyclonedx",
"content": "<base64-encoded-sbom>"
}'Or upload as multipart:
curl -X POST https://api.safeguard.sh/v1/sbom/upload \
-H "Authorization: Bearer $API_KEY" \
-F "name=My Application" \
-F "version=1.0.0" \
-F "file=@sbom.json"Format Conversion
Convert between SBOM formats:
In the UI
- Open a project
- Click Export
- Select desired format
- Download converted SBOM
Via CLI
# Convert CycloneDX to SPDX
safeguard sbom convert --input sbom-cyclonedx.json --output sbom.spdx --format spdx-json
# Convert SPDX to CycloneDX
safeguard sbom convert --input sbom.spdx --output sbom-cdx.json --format cyclonedx-jsonSBOM Quality Assessment
After upload, view SBOM quality metrics:
| Metric | Description |
|---|---|
| Completeness Score | Percentage of required fields populated |
| Component Coverage | How many components have full data |
| PURL Accuracy | Package URL correctness |
| Version Specificity | Version information quality |
| License Coverage | Components with license data |
Vendor SBOM Import
When importing SBOMs from software vendors:
Best Practices
- Verify authenticity - Ensure SBOM came from the vendor
- Check signatures - Verify digital signatures if present
- Document source - Record where the SBOM originated
- Version mapping - Map SBOM to your software inventory
Automated Import
Set up automated SBOM import from vendors:
- Configure vendor in Portal → Vendor Management
- Enable automatic SBOM collection
- SBOMs are imported as vendors provide them
Continuous Monitoring
Uploaded SBOMs are continuously monitored:
- Daily scans - Check for new vulnerabilities
- KEV updates - Alert on newly exploited CVEs
- Dependency updates - Track when newer versions are available
- License changes - Monitor for license modifications
Troubleshooting
"Invalid SBOM format"
- Verify file is valid JSON or XML
- Check SBOM matches claimed format (CycloneDX vs SPDX)
- Validate against official schema
"No components found"
- SBOM may be empty
- Components may be in unexpected location
- Check SBOM structure matches specification
"Unknown package references"
- Package URLs (PURLs) may be malformed
- Custom packages may not be in public databases
- Safeguard.sh still tracks but cannot enrich unknown packages
Best Practices
SBOM Collection
- Request SBOMs in standard formats (CycloneDX or SPDX)
- Prefer JSON over XML for easier processing
- Require minimum component information (name, version, PURL)
Organization
- Use consistent naming conventions
- Map SBOMs to your asset inventory
- Maintain version history
Compliance
- Store SBOMs for audit requirements
- Track SBOM sources and dates
- Document vendor SBOM commitments