Docs
DocsAPICLIGlossary
Launch App
User Guides
Product Guides
ComplianceSecurityQualitySBOM Managementfossabot
Get Started
Project Setup
Release Groups
Issues
Licenses
Vulnerabilities
Quality
SBOM
Policies
Reports
FOSSA CLI
API Reference
Integrations
fossabot
Organization Management
On-Premises Deployment
Help & Support
Legal
Get Supportfossa.com
DocsProduct GuidesSBOM Management

SBOM Management

Generate, aggregate, import, and share software bills of materials across the full SBOM lifecycle.

4 min read
Prerequisites: At least one project imported and scanning.

Start here

Generate your first SBOM

Step-by-step onboarding path

What's inside

Generating SBOMs

Generate SPDX or CycloneDX SBOMs from any FOSSA project.

Read more

Aggregating SBOMs

Combine multiple projects, including imported supplier SBOMs, into one application-level SBOM with release group reports.

Read more

Import SBOMs

Import third-party SBOMs to scan their dependencies for vulnerabilities and license issues.

Read more

Sharing SBOMs

Publish and distribute generated SBOMs to customers, partners, and other organizations.

Read more

SBOM Policy

Define which fields and file formats are required in imported SBOMs.

Read more

PURL Support

Package URL identifiers used in SPDX and CycloneDX exports.

Read more

Key concepts

SBOM formats — SPDX vs. CycloneDX

When to use SPDX vs. CycloneDX and which format meets your compliance requirements.

SBOM vulnerability detection

How FOSSA scans imported SBOMs for known CVEs.

© 2026 FOSSA, Inc.support@fossa.com