Submitting an SBOM for Commercial Software and Finished Products
This document is for suppliers that deliver commercial software or finished products they did not develop. In this case the supplier has no access to the source code, so the source-scan approach in How to Generate an SBOM does not apply. Obtain the SBOM from the original manufacturer and submit it.
Scanning the delivered equipment or its installed image with a tool is not an alternative. The commercial software has no package manager metadata, so its components come out without purls, vulnerability matching fails, and the SBOM is rejected.
Scope
This applies when you supply third-party products in forms such as the following.
- Commercial software resale: supplying licenses for packaged software developed by a third party (resellers, distributors)
- Appliances and finished products: equipment shipped by the manufacturer with the OS and software preinstalled (e.g., storage, backup appliances, network equipment)
- Systems that include third-party products: deliveries combining in-house components with commercial products
If part of the delivery is developed in-house, generate the SBOM for that part yourself following How to Generate an SBOM, and submit the manufacturer’s SBOM for the commercial part alongside it.
Obtaining the SBOM from the manufacturer
Request an SBOM in CycloneDX or SPDX format from the original manufacturer (or developer). With regulations such as US Executive Order 14028 and the EU Cyber Resilience Act in force, most global manufacturers now have a process for providing per-product SBOMs. Including the following in your request speeds up the response.
- Format: CycloneDX JSON (recommended) or SPDX
- Target: the exact model name and version of the delivered product
- Coverage: if the product ships with an OS, the OS packages must be included
Whether and how quickly a manufacturer can provide an SBOM varies, so request it during contract review to stay on the delivery schedule.
Checking the received SBOM
An SBOM received from the manufacturer is reviewed by the same criteria as one you generate yourself. Before submitting, check the following.
- Compliance with the Submission Requirements: standard format and version, metadata, component names and versions, purls
- The Validation Checklist: purl coverage and the other required items
- Version match: the top-level component in the SBOM matches the name and version of the product actually delivered
Then name the file and submit it following the Submission Process.
If the product is a cluster
A product in which multiple nodes form one cluster (for example, distributed storage) is still submitted as one SBOM per product. For how to determine the SBOM unit, see the multi-node cluster section of Server SBOM.
If the manufacturer cannot provide an SBOM
If the manufacturer replies that it cannot provide an SBOM, contact opensource@sktelecom.com before generating and submitting one by other means.
Related Documents
- Submission Requirements: required formats and data fields
- Validation Checklist: items to verify before submission
- Submission Process: naming conventions and submission channels
- Server SBOM: the SBOM unit for multi-node clusters
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.