STP
SBOM Observer/

Trigger Events and Updates

Decision trees for when to generate, update, or publish transparency artifacts

Knowing precisely when to generate SBOMs, publish VEX documents, or update existing artifacts prevents both waste (unnecessary work) and gaps (missed compliance obligations). This page provides decision trees and automation triggers for each scenario.

Decision framework

Use this decision tree to determine required actions:

EVENT OCCURS

Is this a software change?
    ├─ YES → Did components change?
    │         ├─ YES → Generate new SBOM
    │         └─ NO → Re-evaluate (may be config-only)

    └─ NO → Is this a vulnerability event?
              ├─ YES → Publish or update VEX
              └─ NO → Is this metadata correction?
                        ├─ YES → Update existing artifact
                        └─ NO → No action required

SBOM generation triggers

Mandatory SBOM generation

Generate a new SBOM when:

TriggerDescriptionExampleAutomation Level
New releaseMajor, minor, or patch version1.0.0 → 1.0.1Fully automated (CI/CD)
Dependency updateLock file changednpm update → new package-lock.jsonFully automated (CI/CD)
Component additionNew library/module includedAdd authentication libraryFully automated (CI/CD)
Component removalLibrary/module removedRemove deprecated dependencyFully automated (CI/CD)
Transitive changeIndirect dependency resolved differentlySame source, different resolved treeFully automated (CI/CD)
Build config changeCompilation flags or build tools updatedEnable/disable featuresSemi-automated (manual trigger)

Optional SBOM updates

Consider generating new SBOM when:

TriggerRationaleRecommendation
Metadata correctionFix typo in supplier nameUpdate if incorrect data is significant
EnrichmentAdd pedigree or provenance dataGenerate new version with enhanced metadata
Format migrationSwitch from SPDX to CycloneDXTreat as new artifact, retain original
Re-scanRerun tools with better detectionOnly if substantially different results

NOT SBOM generation triggers

Do NOT generate new SBOM when:

EventWhy NotCorrect Action
New vulnerability discoveredSoftware didn't changePublish/update VEX instead
VEX status updateComponents unchangedUpdate VEX only
Documentation updateCode unchangedNo SBOM/VEX action
Configuration changeRuntime config (not build-time)Update deployment docs, not SBOM

VEX publication triggers

Initial VEX publication

Publish a new VEX document when:

TriggerVEX StatusTimelineAutomation Level
CVE published affecting your componentsunder_investigationWithin 24-48 hoursAutomated (alert + draft VEX)
Private vulnerability disclosedunder_investigationImmediatelyManual (confidential)
Analysis completed (not affected)not_affectedWithin days-weeksSemi-automated (human approval)
Analysis completed (affected)affectedWithin days-weeksSemi-automated (human approval)

VEX updates

Update existing VEX when:

TriggerVEX ActionTimelineExample
Patch/fix releasedChange status to fixedAt release timev1.0.1 fixes CVE-2024-1234
Workaround identifiedAdd mitigation detailsASAPConfiguration change reduces risk
Analysis revisedUpdate justificationAs neededInitial assessment incorrect
Exploit publishedAdd urgency/severity updateWithin hoursPublic exploit code available
New affected versionExtend scopeWhen discoveredCVE also affects v2.0.0

VEX versioning triggers

Create a new VEX version (increment version number) when:

  • Analysis status changes (under_investigationaffected)
  • New information becomes available (exploit details, EPSS score)
  • Mitigation guidance changes
  • Affected version list changes

Do NOT create new VEX version for:

  • Typo corrections (minor editorial fixes)
  • Formatting changes
  • Non-substantive metadata updates

Automation decision tree

Use this decision tree to determine automation strategy:

Can this trigger be automated?

EVENT OCCURS

Is detection automated?
    ├─ YES → Proceed to automation
    └─ NO → Manual detection required

         Can detection be automated?
              ├─ YES → Implement detection automation
              └─ NO → Document manual checklist

Is response deterministic?
    ├─ YES → Fully automate action
    │         Examples: CI/CD SBOM generation, initial VEX draft

    └─ NO → Requires human judgment

         Semi-automate:
         - System detects event
         - System drafts response
         - Human reviews and approves
              Examples: VEX status determination, vulnerability impact analysis

Trigger event matrix

Comprehensive matrix of events and required actions:

Event CategorySpecific EventSBOMVEXTimelineAutomation
Software ReleaseMajor release (1.0 → 2.0)✅ NewReview existingAt releaseFull
Software ReleaseMinor release (1.0 → 1.1)✅ NewReview existingAt releaseFull
Software ReleasePatch release (1.0.0 → 1.0.1)✅ NewUpdate if fixes CVEAt releaseFull
Software ReleaseHotfix✅ NewUpdate if security fixImmediatelyFull
Software ReleaseRe-release (rebuild)✅ NewNo changeAt rebuildFull
DependenciesDependency update✅ NewReview applicabilityAt buildFull
DependenciesTransitive change✅ NewReview applicabilityAt buildFull
DependenciesLock file change✅ NewNo changeAt commitFull
VulnerabilityNew CVE publishedNo change✅ New (under_investigation)24-48 hrsSemi
VulnerabilityAnalysis completeNo change✅ Update statusDays-weeksSemi
VulnerabilityPatch developed✅ New (if released)✅ Update (fix available)At fixFull
VulnerabilityExploit publishedNo change✅ Update urgencyHoursSemi
VulnerabilityWorkaround foundNo change✅ Update mitigationASAPSemi
OperationalEOL announcementUpdate metadata✅ Update (no fixes)At announcementManual
OperationalMetadata correction✅ New version (optional)No changeAs neededManual
OperationalFormat migration✅ New formatNo changePlannedManual

Implementation patterns

Pattern 1: CI/CD integration (full automation)

Trigger: Git commit to release branch

Actions:

  1. Build pipeline starts
  2. Dependencies resolved
  3. SBOM generation tool runs
  4. SBOM validated against schema
  5. SBOM signed
  6. SBOM published to repository
  7. VEX reviewed for applicability (if dependencies changed)

Tools: GitHub Actions, GitLab CI, Jenkins + Syft/CycloneDX plugins

Pattern 2: Vulnerability monitoring (semi-automation)

Trigger: CVE published in NVD/vendor advisory

Actions:

  1. Monitoring system detects CVE
  2. System queries SBOM repository for affected products
  3. System generates draft VEX with under_investigation status
  4. Alert sent to security team
  5. Human analyzes impact
  6. Human updates VEX status with justification
  7. VEX published

Tools: Dependency-Track, vulnerability scanners + custom scripts

Pattern 3: Manual coordination (low-volume)

Trigger: Scheduled review (weekly/monthly)

Actions:

  1. Review all changes since last SBOM
  2. Determine if new SBOM needed
  3. Review all new vulnerabilities
  4. Determine VEX updates needed
  5. Batch generate/update artifacts
  6. Publish together

Suitable for: Legacy systems, low-frequency releases, resource-constrained teams

Handling edge cases

Edge case 1: Multiple releases in single day

Challenge: Don't generate SBOM for every commit during active development.

Solution:

  • Generate SBOM only for tagged releases
  • Use semantic versioning to distinguish releases from builds
  • Pre-release versions (1.0.0-alpha.1) get SBOMs, commits don't

Edge case 2: Vulnerability affecting multiple versions

Challenge: Avoid redundant VEX documents.

Solution:

  • Single VEX can reference multiple product versions
  • Use version ranges where appropriate
  • Clearly indicate which versions affected vs fixed

Edge case 3: Dependency change with same version number

Challenge: Dependency resolved to different patch version due to new release (e.g., ^1.2.0 resolves to 1.2.5 instead of 1.2.3).

Solution:

  • Always generate new SBOM when lock file changes
  • Hash-based artifact identification catches this
  • Document in SBOM metadata that lock file changed

Edge case 4: False positive vulnerability report

Challenge: Automated systems flag vulnerability that doesn't actually affect your product.

Solution:

  • Publish VEX with not_affected status
  • Include justification explaining why
  • Prevents customers from being alarmed by security scanners

Checklist for trigger implementation

Use this checklist when setting up automation:

Detection:

  • Can detect event automatically (webhook, polling, filesystem watch)
  • Can distinguish between trigger types (release vs commit, major vs minor)
  • Can access necessary context (commit messages, dependency diffs, CVE details)

Decision:

  • Clear criteria for action (when to generate SBOM, when to update VEX)
  • Documented exceptions (edge cases handled appropriately)
  • Human approval points identified (where automation defers to judgment)

Action:

  • Automated generation/update process
  • Validation before publication
  • Rollback mechanism if generation fails
  • Notifications to relevant teams

Monitoring:

  • Logging of all trigger events
  • Alerts for failed automations
  • Metrics on trigger frequency and response time
  • Audit trail for manual overrides

Next steps

Edit on GitHub

SBOM and VEX Lifecycle

Understanding when to update SBOMs versus VEX documents

Quality and Validation Principles

Ensuring SBOMs and VEX documents are complete, accurate, and trustworthy

On this page

Decision frameworkSBOM generation triggersMandatory SBOM generationOptional SBOM updatesNOT SBOM generation triggersVEX publication triggersInitial VEX publicationVEX updatesVEX versioning triggersAutomation decision treeCan this trigger be automated?Trigger event matrixImplementation patternsPattern 1: CI/CD integration (full automation)Pattern 2: Vulnerability monitoring (semi-automation)Pattern 3: Manual coordination (low-volume)Handling edge casesEdge case 1: Multiple releases in single dayEdge case 2: Vulnerability affecting multiple versionsEdge case 3: Dependency change with same version numberEdge case 4: False positive vulnerability reportChecklist for trigger implementationNext steps