SBOM Formats & Import/Export
Product Security Hub gives you flexible options for managing your Software Bill of Materials. Import from standard formats or spreadsheets, manually create components for embedded systems, and export in machine-readable formats that meet regulatory requirements.
Import Options
Multiple ways to get your software components into Product Security Hub.
CycloneDX Import
Industry standard format
Import SBOMs in CycloneDX JSON or XML format. This is the recommended approach if you're generating SBOMs from your build pipeline using tools like Syft, Trivy, or cdxgen.
Supported versions:
Excel Template Import
Spreadsheet-based workflow
Prefer working in spreadsheets? Download our Excel template, fill in your component details, and import directly. Great for teams transitioning from manual tracking or working with suppliers who provide component lists in spreadsheets.
Template includes columns for:
Component name, version, supplier, license, CPE, PURL, and more
Manual Component Creation
Not all software components can be discovered automatically. Embedded devices with firmware written in C/C++, proprietary libraries, or components from suppliers without SBOM tooling often require manual entry.
Product Security Hub lets you manually create SBOM components directly in the platform. Add the component name, version, supplier, license, and identifiers (CPE, PURL). These manually-added components are fully integrated—they'll be scanned for vulnerabilities and included in your exports.
Perfect for:
- Embedded firmware (C/C++, assembly)
- Third-party libraries without package managers
- Supplier-provided binaries
- Operating system components
Why This Matters for FDA
FDA's premarket cybersecurity guidance requires SBOMs to be provided in a machine-readable format. For embedded devices where automated SBOM generation isn't possible, Product Security Hub bridges the gap:
- 1 Manually add your firmware components in Product Security Hub
- 2 Export as CycloneDX (machine-readable)
- 3 Include in your FDA submission package
Export Options
Generate outputs for regulatory submissions, customer requests, and internal tracking.
CycloneDX SBOM
Export your complete SBOM in CycloneDX format. Machine-readable and suitable for FDA submissions and customer requests.
CycloneDX + VEX
Export with vulnerability information embedded. Includes your triage decisions and exploitability assessments (VEX data).
Excel Export
Export your component list as a spreadsheet. Useful for internal reviews, supplier communication, and teams who prefer Excel.
SPDX Export
SPDX format export coming soon for teams that need this alternative standard.
When to Use Each Format
Choose the right format based on your use case.
| Use Case | Recommended Format | Why |
|---|---|---|
| FDA premarket submission | CycloneDX | Machine-readable format required by FDA guidance |
| Customer SBOM request | CycloneDX | Industry standard, works with most SBOM tools |
| Vulnerability disclosure | CycloneDX + VEX | Includes triage status and exploitability info |
| Internal review / audit prep | Excel | Easy to review, filter, and share with non-technical stakeholders |
| Supplier communication | Excel | Universally accessible, no special tools needed |
Ready to manage your SBOMs?
Import, scan, triage, and export—all in one platform with complete traceability.