Core Concepts

Before implementing specific workflows, understand the core concepts that underpin effective software transparency operations. These concepts apply regardless of your role, maturity level, or specific use case.

Why these concepts matter

Organizations that skip these fundamentals often encounter:

Lifecycle confusion — regenerating SBOMs unnecessarily or failing to update VEX appropriately
Quality issues — incomplete or inaccurate artifacts that provide false security assurance
Security exposures — inadvertently disclosing sensitive information about proprietary software
Sustainability problems — unsustainable manual processes that collapse under operational load

Essential concepts

SBOM and VEX Lifecycle

Understanding when to create new SBOMs versus update VEX documents is the most critical operational concept.

Key principle: SBOMs are static (tied to software releases), VEX is dynamic (tied to vulnerability discoveries).

Read SBOM and VEX Lifecycle →

Why this matters: Organizations waste significant resources regenerating SBOMs for every vulnerability discovery, or fail to update VEX after releasing patches, leaving customers unaware of fixed vulnerabilities.

Trigger Events and Updates

Knowing precisely what events should trigger SBOM generation, VEX publication, or updates prevents both over-production (wasted effort) and under-production (compliance gaps).

Read Trigger Events and Updates →

Why this matters: Clear trigger definitions enable automation and ensure consistent, timely updates across your organization.

Quality and Validation Principles

SBOMs must meet minimum quality standards to provide value. Understanding completeness thresholds, accuracy verification, and validation gates ensures artifacts are trustworthy.

Read Quality and Validation Principles →

Why this matters: Poor quality SBOMs create false confidence, exposing organizations to undisclosed vulnerabilities while believing they have visibility.

Security and Access Control

Not all SBOM information should be shared equally. Understanding sensitivity levels, redaction strategies, and access control patterns protects intellectual property while enabling transparency.

Read Security and Access Control →

Why this matters: Organizations fear SBOM requirements will expose proprietary information. Proper security controls enable compliance without unacceptable IP disclosure.

How these concepts connect

These concepts form an integrated framework:

Lifecycle Management
       ↓
   Defines when to act
       ↓
Trigger Events ←→ Quality Standards
       ↓              ↓
   What to produce & validate
       ↓
Security Controls
       ↓
   How to share safely

Manual lifecycle management
Ad-hoc trigger responses
Basic quality checks (format validation)
Simple access control (yes/no sharing decisions)

Level 2 (Advanced)

Automated lifecycle coordination
Policy-driven trigger automation
Comprehensive validation pipelines
Fine-grained access control with partial disclosure

See Maturity Levels Overview for detailed progression.

Next steps

Start with the most critical concept:

SBOM and VEX Lifecycle — understanding this prevents the most common operational mistakes.

Then explore related concepts:

Trigger Events — know when to take action
Quality and Validation — ensure artifacts are trustworthy
Security and Access Control — share safely

Apply concepts to workflows:

Producer Workflows — for SBOM/VEX generation
Consumer Workflows — for SBOM/VEX consumption

Core Concepts

Why these concepts matter

Essential concepts

SBOM and VEX Lifecycle

Trigger Events and Updates

Quality and Validation Principles

Security and Access Control

How these concepts connect

Common misconceptions

Misconception 1: "SBOM is just a list of components"

Misconception 2: "VEX replaces security advisories"

Misconception 3: "SBOM generation is a one-time task"

Misconception 4: "All SBOM information must be public"

Misconception 5: "Perfect SBOMs are required from day one"

Maturity progression

Next steps

On this page