Se rendre au contenu

Security & Compliance

Lynx Compliance - SBOM Ingestion

Software Bill of Materials ingestion - upload CycloneDX or SPDX JSON, parse the components into a queryable model, attach to a vendor or service. Foundation for the supply-chain vulnerability pipeline.

Talk to sales See pricing

lynx_compliance_sbom · v19.0.1.2.1 · Premium

What this solves

Lynx Compliance - SBOM Ingestion

Iteration 1 of the supply-chain vulnerability pipeline. Customers upload a CycloneDX or SPDX JSON document, the parser extracts the component list, and each component is stored as a queryable lynx.compliance.sbom.component record with its Package URL (purl) — the canonical cross-format identifier.

This iteration intentionally stops at parse + store. Iteration 2 adds the NVD / OSV vulnerability matching cron; iteration 3 adds vendor association + automatic finding raise on high-severity-vulnerability discovery.

Why purl matters: every modern vulnerability database (OSV, GitHub Advisory DB, GitLab Advisory DB, Trivy DB, Grype) keys on pkg:npm/lodash@4.17.21-style identifiers. Storing the raw purl on each component means the iter-2 cron can do a clean string match against any of those feeds without needing per-ecosystem lookup tables.

Auditors care about supply-chain visibility (CSF GV.SC-04 / SC-05 / SC-08, ISO A.5.19 / A.5.21) — you can't review what you can't see. This connector turns "show me your dependency tree" from a manual PDF into a queryable evidence stream.

Key Features

  • Two models - lynx.compliance.sbom (one per uploaded document) and lynx.compliance.sbom.component (one per declared dependency).

  • Two formats supported - CycloneDX (1.4 / 1.5 / 1.6) and SPDX (2.2 / 2.3) JSON. The dispatcher detects format from the document body so the user doesn't have to pick.

  • purl-first identification - Package URLs are extracted into a dedicated indexed column, making iter-2 vulnerability lookups trivial.

  • Generic source attachment - SBOM can attach to a vendor assessment, a service / project record, or stand alone via an optional source_model + source_id reference.

  • SHA-256 of raw blob - the document hash is computed at upload so future re-uploads of the same file deduplicate cleanly.

Integrates With

  • lynx_compliance - findings module hosts the iter-3 vulnerability findings.

  • lynx_compliance_govern - vendor assessments are the canonical SBOM-source target.

Depends on

lynx_compliance lynx_license_enforcer lynx_compliance_navigation lynx_compliance_govern lynx_base mail base

Try Lynx Compliance - SBOM Ingestion on your team.

Free trial, no credit card. Talk to sales when you're ready.

Start free trial Browse all modules