Import Your First SBOM
Your Software Bill of Materials (SBOM) is the foundation for vulnerability scanning in Product Security Hub. This guide walks you through creating an SBOM container, importing your components, and managing your software inventory.
Before You Begin
- You have created a product in Product Security Hub
- You have added at least one component to your architecture (SBOMs are linked to components)
- You have a list of your software components (or an existing SBOM file)
🔑 Key Concept: SBOMs as Containers
Think of creating an SBOM like getting a piece of paper to write your shopping list. The + Add a New SBOM button creates the "paper"—a container linked to a component. Once created, you navigate into that SBOM and add the actual software components via import or manual entry.
This two-step approach lets you organize multiple SBOMs per product (e.g., one for your firmware, one for your web app) and track metadata like version, status, and scan history for each.
Create a New SBOM
From your product dashboard, click the SBOM tab in the top navigation bar, then click + Add a New SBOM.
In the popup modal, fill in:
Select Component *
The architecture component this SBOM belongs to
SBOM Type
Classification of the SBOM
Status
Current status (e.g., Draft, Final)
SBOM Version
Version identifier for this SBOM
SBOM Group
Grouping (defaults to "System")
SBOM Tool Name
Tool used to generate the SBOM
SBOM Tool Type
Type of generation tool
Notes or Description
Optional notes about this SBOM
Click Add to create the SBOM container.
⚠️ Component Required First
You must have at least one component in your architecture before creating an SBOM, because each SBOM is linked to a specific component. If you haven't added components yet, see Add Components.
Navigate into Your SBOM
After creating the SBOM, click on its row in the SBOM table to open it. This takes you to the SBOM detail page where you can import and manage software components.
Import Your Software Components
Inside the SBOM, you have three options to add software components:
Import CycloneDX JSON
If you already have an SBOM in CycloneDX JSON format, click + Import CycloneDX JSON. Select your .json file and Product Security Hub will parse and import all components.
💡 Generating CycloneDX Files
Many build tools can generate CycloneDX SBOMs automatically. Check out CycloneDX Tool Center for plugins for npm, pip, Maven, and more.
Download SBOM Template File (Excel)
Click Download SBOM Template File to get our Excel template. Fill in your component details (name, version, vendor, license, etc.), then import the completed spreadsheet.
💡 Include Package URLs (PURLs)
For better vulnerability matching, include Package URLs when possible. Example: pkg:npm/lodash@4.17.21
Add Components Manually
Click + Add a New Component to add software components one at a time. This is ideal for proprietary components, embedded firmware, or small additions.
💡 When to Use Manual Entry
Manual entry is ideal for proprietary code you've written, embedded firmware from chip vendors, or custom components that aren't in public package registries.
Customize Your SBOM View
Back on the main SBOM page, click the Settings (gear) icon to configure which columns appear in your SBOM table:
Available Columns
These columns help you track metrics at the SBOM level—component counts, vulnerability counts, scan history, and more.
Scan and Export Your SBOM
From the SBOM page, you can perform several actions on each SBOM:
🔍 Scan Now
Scan against Google OSV to discover known vulnerabilities. Requires SBOM components to have PURLs (Package URLs).
📤 SBOM Scan Export
Export scan results for external review or documentation.
📦 DL CycloneDX
Export as a CycloneDX file (without vulnerability data).
📦 DL CycloneDX w/ Vulnerabilities
Export as CycloneDX with embedded VEX (vulnerability) data.
📄 DL Human Readable
Export as an Excel file for easy sharing and review.
📋 Clone SBOM
Create an exact duplicate of the SBOM for versioning or testing.
💡 VEX Data for Customers
The CycloneDX with Vulnerabilities export includes VEX (Vulnerability Exploitability eXchange) data—perfect for sharing your vulnerability assessment with customers or for regulatory submissions.
Explore the Component Inventory
When you click into an SBOM, you'll see the Component Inventory tab showing all software components. This view displays each component with its vulnerability status, links, and metadata.
Component Inventory Columns
The Known Vulns column shows linked vulnerability IDs (e.g., VM.884, VM.895) that you can click to navigate directly to the vulnerability details.
💡 Add Components Manually
From this page, click + Add SBOM Component to add individual components via a popup modal. This is useful for adding proprietary or custom components that weren't in your original SBOM file.
View Component Details
Click on any component row to open its detail page. The component detail page follows the CycloneDX specification closely and includes:
Component Detail Fields
Identity
BOM-Ref, Group, Supplier Name, Component Name, Version
Classification
SBOM Component Type (Library, Application, etc.)
Support
Software Level of Support, End of Support Date
Security Identifiers
SBOM Component CPE, SBOM Component Supplier PURL
Additional Sections:
+ Add External References
Link to VCS repositories, websites, issue trackers, and other external resources. Each reference has a Type, URL, and Comment field.
+ Add Hashes
Add cryptographic hashes (Algorithm + Content) to verify component integrity.
+ Add Licenses
Document licenses with ID (SPDX identifier), Name, URL, and Expression fields.
+ Dependencies
Select dependencies to map relationships between components in your SBOM.
Review Scan History
Inside an SBOM, click the Scan History tab to see a complete history of all vulnerability scans—both manual and automated.
Scan History Columns
Each row shows the vulnerability severity breakdown with colored indicators: Critical, High, Medium, Low.
Scan History Actions:
📋 View Details
Click into a scan to see all vulnerabilities found. Toggle to show only new vulnerabilities discovered in that scan.
🖨️ Print Report
Click the print icon to generate a printable scan history report showing all components scanned and their PURLs.
💡 Automated Scans
Product Security Hub can run automated scans on a schedule. Check the Scan Type column to distinguish between manual scans you triggered and automated background scans.
What Information Product Security Hub Captures
For each software component in your SBOM, Product Security Hub tracks:
Identity
Name, version, vendor, package URL (purl)
Type
Library, framework, OS, firmware, application
License
SPDX license identifier (MIT, Apache-2.0, etc.)
Dependencies
Relationships between components
Best Practices
Include all components
Don't skip components you think are "safe." Even basic libraries can have vulnerabilities.
Be specific with versions
"OpenSSL 1.1.1k" is better than "OpenSSL 1.x". Version specificity improves vulnerability matching.
Include PURLs for scanning
Google OSV scanning requires Package URLs (PURLs). Without them, vulnerability matching won't work.
Include transitive dependencies
Your dependencies have dependencies. A complete SBOM includes the full dependency tree.
What's Next?
Now that you've created and populated your SBOM, you're ready to:
- 1 Manage Vulnerabilities
Review and organize vulnerabilities from your SBOM scan
- 2 Triage Vulnerabilities
Assess impact and prioritize remediation
- 3 Learn CVSS Scoring
Score vulnerabilities with CVSS 3.1 and 4.0
Need help with your SBOM?
We can help you create a complete software inventory for your product.