STP
SBOM Observer/

Content Requirements

What information belongs in your transparency documents

To manage cybersecurity risks effectively, standardized, machine-readable methods are required to ensure software transparency. This includes knowing what components are present, where they originate from, and whether known vulnerabilities are relevant or exploitable in the operational context.

The overarching goal of these requirements is to ensure that all submitted artifacts contain consistent, complete, and high-quality information that supports transparency, traceability, and automated validation.

This section does not redefine existing standards — instead, it focuses on how to apply them. It provides guidance on what information should be included, why certain data is important, and how this supports software transparency, risk management, and vulnerability assessment.

The following pages define the required and recommended content for three key artifacts:

  • Software Bill of Materials (SBOM) — an inventory of software components in a structured, machine-readable format
  • Vulnerability Exploitability eXchange (VEX) — information describing how known vulnerabilities affect delivered software
  • Vulnerability Disclosure Report (VDR) — documentation of vulnerabilities discovered and addressed during development or maintenance

Background and rationale

In Sweden and across the EU, cybersecurity regulations, directives, and frameworks are placing increased demands on the software supply chain to provide transparency into the composition and security posture of delivered products.

Standards such as SBOM, VEX, and VDR enable software producers to describe composition, origin, and vulnerability status in a consistent and automation-friendly way. By applying these standards, organizations can:

  • Gain full visibility into software components and their provenance (origin)
  • Assess whether known vulnerabilities are relevant or exploitable in the intended environment
  • Trace the trust level and history of included software
  • Automate ingestion, validation, and analysis using independent tools

The formats required for these artifacts are listed in Formats and Encoding. Using standardised formats supports repeatable, scalable, and tool-agnostic software assurance across all relevant suppliers and deliveries.

Purpose and scope

This section serves as a content requirement guide for SBOM, VEX, and VDR artifacts. It provides guidance both for those developing software and producing these artifacts, and for those consuming and making use of them.

  • Define content expectations — describes the key information that must be included in submitted SBOMs, VEX files, and VDRs. These expectations are expressed as high-level information areas (such as metadata, dependencies, and lifecycle) rather than formal field-by-field schemas.
  • Support standards-based implementation — aligns the requirements with internationally accepted specifications such as CycloneDX and SPDX. Rather than reproducing or redefining these standards, the document provides guidance on how they should be applied to fulfill the content expectations.
  • Provide rationale and guidance — explains why certain information is important. Where useful, examples and representative JSON snippets are included to show how requirements can be met in practice.
  • Enable automated validation — supports the goal of increasing efficiency through automation by enabling validation of submitted artifacts for completeness, correctness, digital signatures, and compliance.

Important note: This site does not replicate the structure, terminology, or field definitions of CycloneDX, SPDX, or other referenced specifications. Instead, it outlines what content is expected and why. It is the supplier's responsibility to ensure conformance with both the base specification and the content requirements defined here.

All SBOM, VEX, and VDR artifacts must conform to the format and encoding constraints defined in Formats and Encoding.

Intended audience

  • Organizations that develop or deliver software and are responsible for producing SBOMs, VEX documents, and VDRs.
  • Technical staff such as software developers, security engineers, and compliance specialists involved in generating and maintaining these artifacts.
  • Personnel involved in procurement, assurance, or risk management who rely on SBOMs and related artifacts.
  • Stakeholders who use the artifacts in contexts such as procurement, security evaluation and lifecycle management.

How to use this section

  1. Start with SBOM Requirements to understand maturity levels and the high-level field expectations.
  2. Review Concepts for background on standards, terminology, and accepted formats.
  3. Dive into Components, Suppliers, Vulnerabilities, VEX / VDR, and Licenses for field-by-field guidance on each topic.
Edit on GitHub

Operational Framework

Complete framework for implementing SBOM, VEX, and VDR standards

SBOM Requirements

Maturity levels, required metadata, component expectations, and dependency guidance

On this page

Background and rationalePurpose and scopeIntended audienceHow to use this section