Version history for the Vulnerability Response SBOM Core application on the ServiceNow Store.

Important: For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

Version history

Version 6.0.6 - May 2025
  • Fixed:
    • Fixed issue with SBOM API upload throwing "Unsupported BOM format" error; SBOM files now upload successfully without content type issues.
    • The CycloneDX parser is refactored to improve SBOM ingestion performance by reducing database transactions, implementing an LRU cache, and improving extensibility through modular parsing functions for different CycloneDX model properties.
Version 6.0.3 - February 2025
  • New:
    • Improvements to the Software Bill of Materials Workspace permit you to delete multiple BOM entity records and their related components from the Home (landing) page with bulk edit.
    • Any Application Vulnerable Items (AVIT)s that are associated with the BOM entities you delete automatically transition to 'Closed'.
Version 5.0.5 - December 2024
Minor fixes for this release.
Version 5.0.4 - November 2024
  • New: SBOM parser and validation improvements for the SBOM file upload.
  • Changed: Updates to the SBOM upload modal to include the "Business application" and "Product model" attributes.
Version 4.0.4 - August 2024
  • New:
    • Improvements to support SBOM files in CycloneDX format:
      • Activate the (sn_sbom_core.collect_properties) property to import information that is generally not supported.
      • View imported component data for declared and concluded licenses for SBOM files in versions 1.4 and later of CycloneDX.
      • SBOM parsing support is improved for the following CycloneDX versions and component types: Version 1.5 - Platform, Data, Device driver, Machine Learning model. Version 1.6 - Cryptographic.
      • Use GitHub Actions in your GitHub environment to determine if SBOM files generated in your CI/CD (continuous integration and continuous delivery/deployment) pipelines have been successfully queued in your Now Platform instance.
Version 3.0.3 - May 2024
  • New:
    • Upload SBOM files for the CycloneDX and SPDX standards.
    • XML and JSON formats are supported for CycloneDX for versions up to and including v1.4.
    • JSON format is supported for SPDX for versions up to and including v2.3.
Version 2.1.1 - February 2024
  • New:
    • View the SBOM inventory in the SBOM Workspace.
    • Component information displayed on the application vulnerable item (AVIT) record.
    • PURL validation support.
Version 2.0.2 - November 2023
  • New:
    • Created the [sn_sbom_pkg_grp] table for the Data Model.
      • Package manager and name is the unique key for this table.
      • Added ACLs on the table for the sn_sbom_dm.app_read role.
      • Records are created and updated by scripts, but you cannot create, write, or delete the data.
    • Added a report view ACL with the sn_sbom_dm.app_read role.
    • Added a reference to the package group table on the BOM Component table.
    • Updated the CycloneDX parser so it identifies the package group and populates its information into the [sn_sbom_pkg_grp] table. For each component of the type, 'library' the parser:
      • Determines and populates the package manager, name, and base PURL in the package group table.
      • Updates the Package group reference on that component's record.
Version 1.0.8 - September 2023
  • New: Added the BOM Entities related list on the component form. You can see all the BOM entities that the component is used in on this related list.
  • Fixed: You can manually upload BOM documents as expected.
Version 1.0.5 - August 2023
Initial release: SBOM Core helps organizations maintain the searchable inventory of all the open-source components used in their environment.