Skip to main content

SBOM Manager Release Notes

SBOM Manager Cloud and SaaS deployments are automatically updated to the latest release on a regular maintenance cadence. Self-hosted deployments should reference the IQ Server deployment instructions and system requirements.

SBOM Manager requires using the PostgreSQL database for self-hosted deployments.

Release 186 (January 2025)

Here's what's new for Sonatype SBOM Manager in IQ Server release 186:

SBOM Manager Container Scans

Leveraging Sonatype Container Security, SBOM Manager now provides detailed SBOMs for OS-level components within your container images. This enhanced visibility empowers you to better understand and manage your software supply chain risks, leading to more informed decisions and improved security posture.

See the Importing SBOMs help documentation for more details on support for container analysis.

See Policy Violation Data in User Interface

You can now view policy violation data directly within SBOM Manager. This includes a summary of violations in the BOM header, a dedicated violations column for components, and detailed violation information (e.g., severity levels, threat, policy, constraint, and condition information) in the component details page.

Screenshot of an example SBOM with the new Policy Violation Summary and Violations column visible

Skip Validation Support for CDX and SPDX

You can bypass strict validation checks when importing CDX and SPDX files, providing more flexibility when working with potentially invalid SBOMs. During import, SBOM Manager will extract critical information (e.g., package names and versions) from invalid CDX and SPDX file imports. In addition to capturing essential data, the system preserves the original, unvalidated SBOM for future reference. This ensures that users have access to the complete SBOM if needed.

See SBOM Import for more details.

Search by License

You can now easily search for components by license, gaining immediate visibility into potential concerns across your projects. This new search functionality complements the existing component name search, providing a more comprehensive view of your SBOMs and empowering you to make informed decisions regarding license compliance and risk mitigation.

Improved Matching Process for SBOM Scans (Impacts Lifecycle and SBOM Manager)

The SBOM matching process now prioritizes hashes over coordinates (PURLs) to improve accuracy and reliability, particularly for ecosystems like PECOFF where coordinates may be inconsistent. This change ensures more precise component identification and enhances the overall quality of SBOM data.

Improved Component Sorting

Users can now sort components by name on the Bill of Materials (BOM) page for easier navigation and organization.

Original Binary Filename Visible in Bill of Materials Page

The Show metadata option within the Bill of Materials page now displays the original filename of the scanned binary, providing clearer traceability and association between your SBOM data and the corresponding source file.

Release 185 (December 2024)

  • Import Binary Files through the SBOM Manager User Interface - You can now easily import binary files directly through the SBOM Manager user interface, expanding your ability to analyze and understand your software components. This streamlined import process allows you to quickly generate SBOMs for your binaries, identify similar components, and gain deeper insights into your software supply chain. For details, see the SBOM Manager help documentation.

  • Merge Multiple SBOMs - SBOM Manager now allows you to easily aggregate SBOMs from various sources, such as microservices within a single application, into a comprehensive, unified view. Import a .zip or .tar archive containing multiple SBOMs and SBOM Manager will generate a single, consolidated SBOM with duplicates removed. For details, see the Importing SBOMs help documentation.

  • Generate PDF of Bill of Materials Report from SBOM Manager - SBOM Manager now allows you to export a Bill of Materials report as a PDF document, providing a convenient and shareable format for your SBOM data. This new export option includes policy violation and vulnerability details and is accessible directly from the Bill of Materials view. See the Bill of Materials View help documentation for full details.

  • Improved Messaging to Support User Awareness of Imported SBOM Interpretation - SBOM Manager now provides clearer feedback when uploading invalid SBOM files. If an uploaded file fails validation but can still be processed as a binary, SBOM Manager provides a more informative message indicating the issue. This helps avoid confusion and ensures you have the necessary information to correct any syntax errors.

  • Updates to CycloneDX Property Names - This release updates property names in CycloneDX exports to align with Sonatype taxonomy standards and ensure consistency across both Lifecycle and SBOM Manager exports. These changes maintain backward compatibility, allowing seamless import and export functionality with both the old and new property names. See our help documentation for an updated list of Sonatype properties in SBOMs.

  • Standardize CycloneDX File Names - Lifecycle and SBOM Manager can now both ingest CycloneDX SBOMs with the standardized .cdx.xml and cdx.json file extensions. Additionally, exported SBOMs from SBOM Manager now also use the standardized .cdx.xml file extension. This change ensures consistency with industry best practices while maintaining support for existing *-bom.xml|json formats.

  • Improved Accuracy for Similar Matched Components - SBOM Manager now offers enhanced accuracy and consistency when managing CycloneDX SBOMs that contain components with similar matches. Similar matched components imported through a CycloneDX SBOM now retain their original designation and associated metadata, ensuring a consistent and reliable view of your component information throughout the SBOM lifecycle. This improvement strengthens your software supply chain security by providing a more accurate representation of your software's composition.

Release 184 (November 2024)

  • Software Bill of Materials that failed validation have a warning message indicating the failure

  • An optional argument is added to the SBOM Import API to set the version ID on the upload of SBOMs

  • SBOM Manager Search includes links to the specific version and vulnerability

Release 183 (October 2024)

  • Binary archives may be analyzed using SBOM Manager to generate a Bill of Materials

  • Exporting PDF reports has been added to the SBOM Bill of Materials

  • Bill of Material reports now support importing and displaying unknown components from binary archives

Release 182 (September 2024)

  • SBOM Manager has access to the Sonatype reference policies for reporting and notifications.

  • Copy VEX annotations from previous versions.

Release 181 (August 2024)

Early improvements to SBOM Manager expanding the supported

  • added support for Cyclone DX 1.6 format

  • Implemented the product switcher into the UI to support multiple Sonatype solutions

Release 177 (June 2024)

We proudly announce Sonatype SBOM Manager, your first choice in SBOM Management.

  • Catalog third-party SBOMs

  • Monitor the dependencies of all versions of your applications that are available to your customers

  • Powered by Sonatype's Component Intelligence spanning over 14 ecosystems

  • Communicate the exploitability status of vulnerabilities to your stakeholders using the VEX workflow

  • Supports the most common SBOM formats: CycloneDX, SPDX, VEX, JSON, and XML.