Skip to main content

SBOM Maintenance: Keeping Your Software Component List Current

The Cyber Resilience Act (CRA) introduces the concept of a Software Bill of Materials (SBOM) as a key part of your vulnerability handling process. Annex I, Part II, point (1), requires manufacturers to "identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials".

But an SBOM isn't a one-time snapshot for your app, game, or software library. It needs to be a living document.

Why Maintain Your SBOM?

Your software evolves. You add features, fix bugs, and, crucially, update or change the third-party libraries and components your product relies on (like game engine updates, new SDK versions for your app, or different open-source libraries).

  • Accurate Vulnerability Tracking: An outdated SBOM means you might miss notifications about new vulnerabilities in components you think you're no longer using, or fail to track vulnerabilities in newly added ones.
  • Effective Impact Analysis: When a new vulnerability is announced in a common library, an accurate SBOM allows you to quickly determine if your software is affected.
  • Compliance: Keeping your documentation, including the SBOM as part of it (as per Recital 77), current is an ongoing obligation to properly manage vulnerabilities.

When to Update Your SBOM

Consider regenerating or updating your SBOM:

  • During Development: Each time you add, remove, or update a significant dependency in your app or game.
  • Before a New Release: Ensure the SBOM reflects the exact state of the software version being shipped.
  • As Part of Your Build Process: Integrating SBOM generation into your automated build pipeline is the most effective way to keep it current. Many tools can help automate this.

The Commission may also specify the format and elements of the SBOM via implementing acts (Article 13, Paragraph 24).

Key Takeway

Your Software Bill of Materials is a critical tool for ongoing vulnerability management under the CRA. It must be actively maintained and updated as your software's dependencies change to remain accurate and useful.