Overview
The SBOM & Software Supply Chain module provides software composition analysis and vulnerability management for the ThreatZ platform. It enables automotive cybersecurity teams to ingest Software Bills of Materials, scan for known vulnerabilities, track supplier and license information, link components to vehicle architecture models, and monitor supply chain risk over time.
Supported SBOM Formats
| Format | Variants | Key Capabilities |
|---|---|---|
| CycloneDX | JSON, XML | Component metadata, external references, supplier info, license parsing |
| SPDX v2.3 | JSON | Package-based components, declared/concluded licenses, creator tracking |
| SPDX v3.0 | JSON | Graph-based format, element types (SoftwarePackage, CreationInfo), relationship elements |
Format detection is automatic. The platform validates each file against format-specific schemas and handles XML-to-JSON conversion transparently.
Key Concepts
SBOM Files
SBOM Files represent an uploaded Software Bill of Materials. Each file tracks its format, version, supplier, and processing status. Files progress through a defined lifecycle:
Draft → Scanning → Active → OutdatedA preview workflow allows users to inspect the parsed contents (component count, supplier count) before committing to the database.
SBOM Components
SBOM Components are individual software packages extracted from an SBOM file. Each component carries:
- Name, version, Package URL (PURL), and Common Platform Enumeration (CPE)
- Supplier reference and license information
- Dependency count and dependency risk rating (Low / Medium / High)
- Lifecycle status (Released, Alpha, Beta, End-of-life)
- Vulnerability counts by severity (Critical, High, Medium, Low)
- Link to system architecture component instance
Vulnerabilities
Vulnerabilities are known security weaknesses (CVEs, GHSAs) associated with SBOM components. Each vulnerability record includes:
- CVE/GHSA identifier and source database (NVD, GHSA, OSV, CNVD)
- CVSS base score and vector, plus temporal CVSS score
- Severity level (Critical, High, Medium, Low)
- Published and modified dates
- Affected and fixed version ranges
- CISA KEV status (actively exploited indicator)
- Exploit mention count with last update timestamp
- Threat chatter score with source breakdown (forums, dark web, social media, threat intelligence)
Computed Risk Metrics
Computed Risk Metrics go beyond raw CVSS to provide actionable prioritization:
- Days Since Disclosure: Calculated from the vulnerability’s published date
- Fix Available: Whether a patched version exists
- Exploit Likelihood: Adaptive formula combining CVSS score, disclosure age, exploit mentions, and CISA KEV status
- Risk Forecast: Escalated / Likely to Escalate / Stable — based on exploit likelihood and chatter score trends
- Data Completeness: Indicates which enrichment fields are available for calculation accuracy
Vulnerability Scanning Pipeline
The scanning process is fully asynchronous and event-driven:
- Upload: User uploads SBOM via the preview endpoint. The file is staged and parsed for preview statistics.
- Finalize: On confirmation, components are created in Draft status. A
sbom.uploadedevent is published. - Scan: The vuln-scanner microservice consumes the event, creates a Dependency-Track project, and submits the BOM for analysis.
- Ingest: When scanning completes, vulnerability records are created with full metadata. Components are matched by PURL (primary) or name@version (fallback).
- Activate: Components transition from Draft to Active. Notifications are sent for critical/high vulnerabilities.
CI/CD Integration
SBOM files can be uploaded directly from build pipelines via API key-authenticated endpoints:
POST /external/sbom/projects/:projectId/system-components/:componentId/sw-unit/:swUnitId/sbomThis enables automated supply chain monitoring as part of the software delivery process. Organization-wide rescans can be triggered on demand.
Dependency Analysis
The module builds and stores full dependency graphs for each SBOM file. Dependency risk is calculated based on:
- Total dependency count
- Dependency depth
- Vulnerability propagation through transitive dependencies
Dependency graphs are visualized as interactive tree structures with vulnerability indicators at each node.
Dashboard & Analytics
The SBOM dashboard provides:
- SBOM File List: All uploaded SBOMs with status indicators and vulnerability breakdown
- Component Inventory: Searchable list with vulnerability counts, supplier, license, and lifecycle status
- Dependency Graph: Interactive D3-based visualization of the component tree
- Vulnerability Summary: Filterable list with severity, exploit likelihood, risk forecast, and fix availability
- Supplier View: Component grouping by supplier with risk aggregation
- Key Metrics: Total components, vulnerability distribution, fix ratio, ML risk score, CVE forecast (90-day prediction), lifecycle risk index
License & Supplier Management
- Extract and track license information from every SBOM component
- Maintain a supplier registry with component associations
- Monitor component lifecycle status to flag end-of-life dependencies
- Enforce organizational SBOM policies (format requirements, auto-sync settings)
- Support compliance workflows with structured license data
Integration with Other Pillars
| Direction | Pillar | Data Flow |
|---|---|---|
| Inbound | Design | Software units reference SBOM files; component instances link to SBOM components |
| Inbound | Testing | Code analysis findings (SARIF, Semgrep, Snyk, SonarQube) converted to vulnerabilities |
| Outbound | TARA | SBOM components linkable as project assets |
| Outbound | Compliance | License tracking, SBOM policy enforcement, format requirements |
| Outbound | Notifications | Critical/high vulnerability alerts to project members |
| Outbound | Reporting | SBOM stats (fix ratio, ML risk score, forecasted CVEs) included in security reports |
| Bidirectional | Knowledge Graph | Component and file relationships synced to graph database |