SBOM and CRA

SBOMs for Cyber Resilience Act compliance

SBOMs are the operating map for CRA readiness. They help teams understand product components, monitor vulnerabilities, assess exploitability, and connect evidence to each product version.

Why SBOMs matter for CRA readiness

The Cyber Resilience Act requires teams to manage security across the product lifecycle. A current software bill of materials gives teams the dependency inventory needed to identify vulnerable products and prioritize remediation.

  • Map components, versions, package URLs, and product releases.
  • Connect CVEs and exploited vulnerabilities to affected product versions.
  • Support audit evidence for vulnerability handling and post-market monitoring.

CycloneDX and SPDX ingestion

cramio supports common SBOM formats used by product security and DevOps teams. SBOMs can be uploaded through the dashboard or sent from CI/CD systems and custom scripts through authenticated APIs.

  • CycloneDX and SPDX JSON workflows for CI/CD pipelines.
  • Product-level SBOM history for version comparison and investigation.
  • Tenant-scoped storage and encryption for SBOM payloads and findings.

From SBOM to action

SBOMs are most valuable when they drive automated decisions. cramio uses SBOM metadata to power vulnerability monitoring, VEX statements, incident triage, reporting workflows, and evidence vault entries.

  • Detect whether a CVE maps to an actual product component.
  • Record not affected, affected, fixed, or under investigation decisions with VEX-style evidence.
  • Populate CRA report drafts with affected product and component facts.

Common questions

Do I need an SBOM for CRA compliance?

The CRA does not reduce to a single SBOM requirement, but SBOM coverage is a practical foundation for vulnerability monitoring, impact analysis, reporting, and lifecycle evidence.

Which SBOM formats does cramio support?

cramio supports CycloneDX and SPDX JSON workflows, including ingestion from dashboards, APIs, webhooks, and CI/CD pipelines.

Does cramio collect source code?

No. cramio is designed around SBOM metadata and vulnerability findings, not source code exfiltration.