Creating a SBOM template

To create a SBOM template:

  1. Click and then select SBOM Templates.

  2. Click + Create SBOM Template.

  3. Enter a name for the SBOM template in the Name field. This is a mandatory field.

  4. Optionally, you may enter a description for the SBOM template in the Description field.

  5. Enable the Active checkbox if you want this SBOM template to appear in the list of available options when creating a SBOM report.

  6. Select a default SBOM specification from the Default SBOM Specification dropdown menu.

  7. Select the desired report output type from the Default Report Format dropdown menu.

  8. Select the desired fields to appear in the output for your SBOM template.

    Project Data:

    • Creator: Replaces default creator information with the person(s) or organization(s) that created the SBOM file.

    • Project Alias: Project Alias masks the name of your project version name in SBOM reports.

    • Subproject Components: Include subproject components in SBOM reports.

    • Creator Comments: An optional field for creators of the SBOM file to provide general comments about the creation of the SPDX file or any other relevant comment not included in the other fields.

    • SBOM Type: A field to indicate the stage of the software lifecycle where the SBOM was generated. This classification is based on guidance from CISA's SBOM Types initiative and provides better insight into the origin and intended use of the SBOM.

      Possible values:

      • Design: Represents a conceptual SBOM created during the planning phase, before code exists. Useful for architectural or procurement contexts.

      • Source: Derived from the source code and associated dependencies prior to compilation.

      • Build: Created as part of the build process, typically through automation in CI/CD pipelines.

      • Analyzed: Generated from scanning tools that inspect compiled or deployed software (e.g., binary analysis).

      • Deployed: Captures what is actually running in a given environment—may include runtime-specific packages or configurations.

      • Runtime: Indicates what the SBOM reflects components that were actively loaded, executed, or observed during the runtime operation of the software. These components may not be evident from source code or build artifacts alone but were detected through dynamic analysis or runtime monitoring tool.

      Notes:

      • If a user manually sets or overrides the SBOM Type, that value is retained in future SBOMs and will not be overwritten by subsequent scans.

      • If the SBOM Type cannot be automatically inferred based on the scan type and no value has been set by the user, the field will be exluded from the SBOM report—even if the SBOM Type field is enabled in the SBOM template.

    Component Data:

    • Originator: If the package identified in the SBOM file originated from a different person or organization than identified as Package Supplier, this field identifies from where or whom the package originally came.

    • Description: The description of the package.

    • License Comment: Include additional comments about the concluded license in SBOM reports.

    • Supplier: The organization that supplied the component that the BOM describes.

    • PURL: The package URL (PURL), or a specific location within a version control system (VCS) for the package.

    • CPE: CPE is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.

    • Package Comment: General comments about the package being described.

    • Package Valid Until Date: The end of the support period for a package from the supplier.

    • Vulnerabilities: Include component vulnerabilities in SBOM reports.

    • Copyrights: The copyright text for the exported project version or its BOM component(s).

    • Homepage URL: The URL of the exported BOM project version or its project version BOM component(s).

    • Download Location: The URL or a specific location within a version control system (VCS) that the component was downloaded from.

    • Component Hash: The intrinsic identifier for a component.

    Component Exclusions:

    • Exclude components with usage of "Dev. Tool / Excluded"

    • Exclude Transitive Dependencies: Exclude transitive dependencies from SBOM reports.

    • Exclude Unconfirmed Snippet Matches: Exclude unconfirmed Snippet matches from SBOM reports.

  9. Click Save to finish creating the SBOM template.

Creating from an existing SBOM template

You can also use an existing SBOM template as a basis to create new templates:

  • Click Options of the desired SBOM template and select Create From....

  • Follow the same steps as described to create a new template above.