SBOM Generation & Lifecycle Management
The CRA makes SBOMs mandatory for every product with digital elements. But generating an SBOM is just the beginning – you need to manage, monitor, and update it throughout the entire product lifecycle.
The CRA’s SBOM Requirement
Article 14 requires manufacturers to “identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials.” No SBOM, no CE mark.
CycloneDX & SPDX Support
Import and export in both major SBOM formats. CycloneDX (OWASP) for security-focused workflows, SPDX (ISO/IEC 5962:2021) for license compliance.
BSI TR-03183-2 Alignment
CRA-compliant SBOMs must include supplier name, component name and version, unique identifiers (CPE, PURL), dependency relationships, license information, and hash values.
Minimum Top-Level Requirement
The CRA requires at minimum a top-level SBOM. Kunnus supports full transitive dependency resolution for comprehensive component visibility.
The SBOM Lifecycle in Kunnus
An SBOM is not a one-time document. Kunnus manages all four lifecycle phases.
Phase 1: Generation & Import
Import from CI/CD pipelines (Syft, Trivy, cdxgen), manual upload, or PLM integration. CycloneDX and SPDX in JSON, XML, and RDF formats.
Phase 2: Enrichment & Correlation
Automatic vulnerability mapping via NVD, OSV, and vendor advisories. License analysis, transitive dependency resolution, and CRA-relevant component classification.
Phase 3: Continuous Monitoring
Daily CVE scans, alert generation for new vulnerabilities, SLA tracking for remediation, and cross-product impact assessment. Required for the CRA’s minimum 5-year support period.
Phase 4: Update & Version Management
Version-specific SBOM snapshots, diff analysis across releases, supplier SBOM integration, and complete audit trail of all changes.
Why SBOM Management Breaks Without Automation
Scale: 10 products × 500 components each
5,000 components to track individually with manual tools vs. a centralized dashboard with cross-product search.
Speed: New CVEs published daily
Manual NVD checks per component, per product vs. automated correlation with instant alerts.
Compliance: 5-year monitoring obligation
Maintaining tracking for deprecated products manually vs. lifecycle management with automated monitoring until end-of-support.
Your SBOMs Deserve More Than a Spreadsheet
CRA-compliant SBOM management is a continuous process. Kunnus automates the full lifecycle – from import to monitoring to audit export.