SBOM Manager Release Notes
SBOM Manager Cloud and SaaS deployments are automatically updated to the latest release on a regular maintenance cadence. Self-hosted deployments should reference the IQ Server deployment instructions and system requirements.
SBOM Manager requires using the PostgreSQL database for self-hosted deployments.
Release 186 (January 2025)
Here's what's new for Sonatype SBOM Manager in IQ Server release 186:
SBOM Manager Container Scans
Leveraging Sonatype Container Security, SBOM Manager now provides detailed SBOMs for OS-level components within your container images. This enhanced visibility empowers you to better understand and manage your software supply chain risks, leading to more informed decisions and improved security posture.
See the Importing SBOMs help documentation for more details on support for container analysis.
See Policy Violation Data in User Interface
You can now view policy violation data directly within SBOM Manager. This includes a summary of violations in the BOM header, a dedicated violations column for components, and detailed violation information (e.g., severity levels, threat, policy, constraint, and condition information) in the component details page.
Skip Validation Support for CDX and SPDX
You can bypass strict validation checks when importing CDX and SPDX files, providing more flexibility when working with potentially invalid SBOMs. During import, SBOM Manager will extract critical information (e.g., package names and versions) from invalid CDX and SPDX file imports. In addition to capturing essential data, the system preserves the original, unvalidated SBOM for future reference. This ensures that users have access to the complete SBOM if needed.
See SBOM Import for more details.
Search by License
You can now easily search for components by license, gaining immediate visibility into potential concerns across your projects. This new search functionality complements the existing component name search, providing a more comprehensive view of your SBOMs and empowering you to make informed decisions regarding license compliance and risk mitigation.
Improved Matching Process for SBOM Scans (Impacts Lifecycle and SBOM Manager)
The SBOM matching process now prioritizes hashes over coordinates (PURLs) to improve accuracy and reliability, particularly for ecosystems like PECOFF where coordinates may be inconsistent. This change ensures more precise component identification and enhances the overall quality of SBOM data.
Improved Component Sorting
Users can now sort components by name on the Bill of Materials (BOM) page for easier navigation and organization.
Original Binary Filename Visible in Bill of Materials Page
The Show metadata option within the Bill of Materials page now displays the original filename of the scanned binary, providing clearer traceability and association between your SBOM data and the corresponding source file.
Release 185 (December 2024)
Import Binary Files through the SBOM Manager User Interface - You can now easily import binary files directly through the SBOM Manager user interface, expanding your ability to analyze and understand your software components. This streamlined import process allows you to quickly generate SBOMs for your binaries, identify similar components, and gain deeper insights into your software supply chain. For details, see the SBOM Manager help documentation.
Merge Multiple SBOMs - SBOM Manager now allows you to easily aggregate SBOMs from various sources, such as microservices within a single application, into a comprehensive, unified view. Import a .zip or .tar archive containing multiple SBOMs and SBOM Manager will generate a single, consolidated SBOM with duplicates removed. For details, see the Importing SBOMs help documentation.
Generate PDF of Bill of Materials Report from SBOM Manager - SBOM Manager now allows you to export a Bill of Materials report as a PDF document, providing a convenient and shareable format for your SBOM data. This new export option includes policy violation and vulnerability details and is accessible directly from the Bill of Materials view. See the Bill of Materials View help documentation for full details.
Improved Messaging to Support User Awareness of Imported SBOM Interpretation - SBOM Manager now provides clearer feedback when uploading invalid SBOM files. If an uploaded file fails validation but can still be processed as a binary, SBOM Manager provides a more informative message indicating the issue. This helps avoid confusion and ensures you have the necessary information to correct any syntax errors.
Updates to CycloneDX Property Names - This release updates property names in CycloneDX exports to align with Sonatype taxonomy standards and ensure consistency across both Lifecycle and SBOM Manager exports. These changes maintain backward compatibility, allowing seamless import and export functionality with both the old and new property names. See our help documentation for an updated list of Sonatype properties in SBOMs.
Standardize CycloneDX File Names - Lifecycle and SBOM Manager can now both ingest CycloneDX SBOMs with the standardized
.cdx.xml
andcdx.json
file extensions. Additionally, exported SBOMs from SBOM Manager now also use the standardized.cdx.xml
file extension. This change ensures consistency with industry best practices while maintaining support for existing*-bom.xml|json
formats.Improved Accuracy for Similar Matched Components - SBOM Manager now offers enhanced accuracy and consistency when managing CycloneDX SBOMs that contain components with similar matches. Similar matched components imported through a CycloneDX SBOM now retain their original designation and associated metadata, ensuring a consistent and reliable view of your component information throughout the SBOM lifecycle. This improvement strengthens your software supply chain security by providing a more accurate representation of your software's composition.
Release 184 (November 2024)
Software Bill of Materials that failed validation have a warning message indicating the failure
An optional argument is added to the SBOM Import API to set the version ID on the upload of SBOMs
SBOM Manager Search includes links to the specific version and vulnerability
Release 183 (October 2024)
Binary archives may be analyzed using SBOM Manager to generate a Bill of Materials
Exporting PDF reports has been added to the SBOM Bill of Materials
Bill of Material reports now support importing and displaying unknown components from binary archives
Release 182 (September 2024)
SBOM Manager has access to the Sonatype reference policies for reporting and notifications.
Copy VEX annotations from previous versions.
Release 181 (August 2024)
Early improvements to SBOM Manager expanding the supported
added support for Cyclone DX 1.6 format
Implemented the product switcher into the UI to support multiple Sonatype solutions
Release 177 (June 2024)
We proudly announce Sonatype SBOM Manager, your first choice in SBOM Management.
Catalog third-party SBOMs
Monitor the dependencies of all versions of your applications that are available to your customers
Powered by Sonatype's Component Intelligence spanning over 14 ecosystems
Communicate the exploitability status of vulnerabilities to your stakeholders using the VEX workflow
Supports the most common SBOM formats:
CycloneDX, SPDX, VEX, JSON, and XML
.