How to read and act on an SBOM
SBOM · 7-min read · Scan an SBOM → · updated June 2026
An SBOM is only useful if you act on it. A bill of materials sitting in a repo doesn't reduce risk — turning it into a fix-first patch queue does. Here's the loop, end to end.
The five steps
Generate or obtain a current SBOM in CycloneDX or SPDX. Prefer one produced from the built artifact (not just source), so it reflects what actually ships.
Resolve each component + version against vulnerability data (OSV, NVD). This is where a list of parts becomes a list of risks.
Sort by active exploitation (CISA KEV) and exploit probability (EPSS) first, then CVSS. A Medium that is being exploited beats a Critical that is not.
For each finding, upgrade to a safe version, apply a mitigation, or record why it does not affect you (a VEX "not affected" with justification).
New CVEs land against components you already shipped. Re-scan on a cadence and monitor, so yesterday’s clean SBOM does not quietly rot.
What a good triage order looks like
| Signal | What it tells you | Priority weight |
|---|---|---|
| CISA KEV | Being exploited in the wild right now | Highest — fix first |
| EPSS | Probability of exploitation in the next 30 days | High when ≥ ~10% |
| CVSS | Theoretical severity (0–10) | Tie-breaker |
| Reachability / VEX | Whether the vulnerable code is actually used | Can de-prioritise |
Turn this into action. You've got a CycloneDX or SPDX file — now what? How to turn a bill of materials into a fix-first patch queue you can actually work.
Scan an SBOM — free →Frequently asked questions
What is an SBOM, in one line?
A Software Bill of Materials is a machine-readable list of every component inside a piece of software — see what is an SBOM.
CycloneDX or SPDX — which should I use?
Both are widely supported. CycloneDX is common for security/VEX use cases; SPDX is common for licensing and is an ISO standard. A good scanner reads either.
Why prioritise by exploitation instead of CVSS?
CVSS rates theoretical severity. CISA KEV tells you what attackers are using right now and EPSS predicts what they are likely to use next. Fixing exploited-first reduces real risk faster — see how to prioritise patches.
What do I do about findings that do not actually affect me?
Record them as "not affected" with a justification in a VEX, so you and your customers stop chasing false positives — see how to write a VEX.
This guide is vendor-neutral and informational, grounded in publicly-available guidance from bodies such as OWASP, NIST and CISA. IsItPatched is independent and not affiliated with them, and this is not legal or compliance advice. See our disclaimer.