Kiuwan logo

SBOM Analysis: A Complete Guide for DevSecOps Teams

SBOM-Analysis-A-Complete-Guide-for-DevSecOps-Teams-blog-image

SBOM analysis is the process of examining a Software Bill of Materials (SBOM) to identify vulnerabilities, license risks, outdated components, and compliance gaps across the software your application depends on.

Generating an SBOM tells you what is in your software. Analyzing it tells you what that inventory means for your security posture, remediation priorities, and regulatory readiness.

The urgency around SBOM analysis is increasing. CISA’s 2025 draft SBOM Minimum Elements update reflects growing expectations for SBOM completeness and usability, while the EU Cyber Resilience Act introduces vulnerability and incident reporting obligations beginning September 11, 2026, with broader product security obligations applying from December 11, 2027.

For DevSecOps teams, especially those operating in regulated or government-adjacent markets, SBOM analysis is becoming a practical requirement for managing software supply chain risk.

TL;DR

  • SBOM generation and SBOM analysis are distinct activities; generating an inventory is only useful if you analyze what it contains.
  • SBOM analysis is not the same as software composition analysis (SCA); SCA scans your codebase, while SBOM analysis evaluates any inventory, including ones from suppliers and third parties.
  • Effective SBOM analysis includes CVE cross-referencing, license conflict detection, component obsolescence, and transitive dependency risk assessment.
  • CVSS scores alone are insufficient for vulnerability prioritization. VEX documents, reachability analysis, and risk-based signals, such as the CISA Known Exploited Vulnerabilities (KEV) catalog, aka CISA KEV and EPSS, make findings actionable.
  • CISA’s 2025 minimum elements update and the EU CRA (September 2026) are making SBOM analysis a hard compliance requirement.
  • Kiuwan Insights automates continuous CVE monitoring, one-click SBOM generation, and CI/CD integration across Jenkins, GitHub, GitLab, and Azure DevOps.

SBOM generation vs. SBOM analysis

SBOM generation and analysis are often conflated, and that conflation is where most SBOM programs stall. 

Generation produces the inventory: a structured list of components, versions, licenses, and dependency relationships. Analysis is what you do with that inventory to extract security and compliance intelligence.

An SBOM that sits in a repository and gets pulled out for audit requests isn’t functioning as a security tool. 

Effective SBOM analysis examines four things that generation alone can’t answer: 

  • Which components carry known CVEs
  • Which licenses create legal or compliance conflicts
  • Which components are no longer maintained
  • Which transitive dependencies (the dependencies of your dependencies) introduce risk that direct dependency scanning misses

That last category is where a significant proportion of real-world supply chain vulnerabilities hide.

Is SBOM analysis the same as software composition analysis?

No. SBOM analysis and software composition analysis (SCA) overlap, but they answer different questions and produce different outputs.

SCA is the active scanning process. It reads your codebase, lockfiles, and binaries, identifies open-source components, and matches them against vulnerability databases in real time. SBOM analysis is what happens to a generated SBOM after the fact: parsing the inventory, cross-referencing components against CVE feeds, evaluating license obligations, and applying risk context. SCA tools typically generate the SBOM as a byproduct. SBOM analysis tools consume SBOMs from anywhere, including those produced by suppliers and third parties.

The practical difference matters when a customer or regulator hands your team an SBOM from a vendor and asks for a risk assessment. SCA can’t scan code you don’t have. SBOM analysis can read the inventory, query vulnerability databases for every listed component, and produce a defensible risk report without ever touching the source.

Mature programs use both. SCA monitors what your team builds. SBOM analysis covers everything you ship, consume from vendors, or distribute downstream.

What effective SBOM analysis examines

SBOM analysis covers more ground than a simple CVE scan. The four areas that matter most for DevSecOps teams are:

CVE cross-referencing across vulnerability databases

Every component in your SBOM has a version. Every version has a known vulnerability profile that can be cross-referenced against the NIST National Vulnerability Database, the OSV (Open Source Vulnerabilities) database, GitHub Security Advisories, and ecosystem-specific feeds for npm, PyPI, Maven, and similar registries. Relying on a single source produces gaps. NVD is widely used and authoritative, but ecosystem-specific advisories may provide package-level context earlier or in more actionable detail. OSV and vendor-curated feeds often publish ecosystem-specific advisories before NVD enrichment, such as CPE mapping, is available.

Effective SBOM analysis automates cross-referencing continuously, not just at the point of generation, so new CVEs that affect existing components surface as they’re published rather than at the next scheduled scan. 

SBOM tools that update CVE matching in real time are what separate active vulnerability management from point-in-time snapshots.

License conflict detection

Open-source components come with license obligations. GPL, LGPL, Apache, MIT, and proprietary licenses all carry different requirements for distribution, modification, and attribution. 

A component with a GPL license in a commercial product can create legal exposure that has nothing to do with security but everything to do with how your product can be distributed. SBOM analysis that includes license mapping surfaces these conflicts before they become legal issues. 

For teams working toward SBOM best practices, license governance is as important as vulnerability management.

Component obsolescence

A component that hasn’t received a security update in a few years isn’t necessarily vulnerable today, but it’s a liability in the making. 

Unmaintained components don’t get patched when new vulnerabilities are discovered. An SBOM analysis that tracks component activity and maintenance status gives teams a warning of components that need to be replaced before they become a security gap.

Transitive dependency risk

Your direct dependencies are the libraries you explicitly import. Your transitive dependencies are everything those libraries depend on.

The attack surface that transitive dependencies represent is often significantly larger than what’s visible in a direct dependency scan. 

The Log4Shell vulnerability, one of the most severe supply chain incidents in recent memory, affected applications whose developers had no idea Log4j was in their stack. Transitive dependency analysis is what makes SBOM analysis comprehensive rather than superficial.

How to analyze an SBOM step by step

A defensible SBOM analysis follows the same five-stage process, whether the inventory comes from your own build pipeline or a vendor delivering a CycloneDX file as part of procurement:

  • Parse and validate the SBOM. Confirm the file conforms to its declared format (CycloneDX or SPDX), extract the component list with package URLs (PURLs) and version identifiers, and verify the SBOM is signed if your policy requires attestation.
  • Cross-reference components against vulnerability databases. Match every PURL and CPE against NVD, OSV, GitHub Security Advisories, and ecosystem-specific feeds. Flag license obligations and obsolete components in the same pass.
  • Apply VEX and reachability context. Filter findings against VEX statements and reachability analysis to remove vulnerabilities that exist in the inventory but aren’t exploitable in your runtime path. This is the step that separates a useful triage queue from a wall of noise.
  • Prioritize using KEV and EPSS. Rank remaining findings against the CISA Known Exploited Vulnerabilities catalog and EPSS probability scores so remediation effort follows actual risk rather than CVSS severity alone.
  • Remediate and continuously monitor. Patch, replace, or document compensating controls with a VEX statement, then re-evaluate the SBOM continuously as new CVEs are published against existing components.

The first four stages run on every fresh SBOM. The fifth runs forever. Most of the security value comes from how well step five is automated, because vulnerabilities don’t respect release schedules.

Integrating SBOM analysis into CI/CD pipelines

A one-time SBOM analysis doesn’t provide ongoing protection as software dependencies change with every build. Integrating SBOM automation into the CI/CD pipeline at three key points gives you continuous visibility rather than periodic snapshots.

  • At build time, SBOM generation and initial CVE scanning should run automatically for every build. This catches new vulnerabilities introduced by dependency updates before they reach a staging environment. 
  • At post-containerization, a second scan validates that the container image (including OS-level packages and runtime dependencies added during containerization) matches the expected component inventory. 
  • At pre-deployment, a final analysis confirms that nothing in the deployment package deviates from the approved SBOM and that no new CVEs have been published against any component since the build scan ran.

That three-point integration model ensures your SBOM reflects the actual state of what’s being deployed, not what was analyzed at the start of the sprint. The discrepancy that arises when deployed software diverges from its declared SBOM is called SBOM drift, and post-containerization and pre-deployment scans exist specifically to catch it before it becomes an incident.

SBOM formats and their impact on analysis

Format choice affects what analysis is possible. The two dominant SBOM standards, CycloneDX and SPDX, have distinct strengths that matter during analysis.

CycloneDX was designed for security workflows and supports native VEX (Vulnerability Exploitability eXchange) data, which is critical for analysis. A VEX document goes beyond listing vulnerabilities by also recording whether each vulnerability is actually exploitable in the specific context of your application. 

That distinction matters enormously for prioritization: a CVE with a CVSS score of 9.8 that can’t be reached by attacker-controlled input is a lower priority than a CVE with a score of 6.5 that sits directly in an exposed code path.

SPDX is better suited to license compliance workflows, with broader tooling adoption for legal and procurement use cases. 

Most mature SBOM programs generate both formats, CycloneDX for security analysis and VEX workflows, and SPDX for license audits and supplier assessments.

Vulnerability prioritization: Beyond CVSS scores

CVSS scores measure theoretical severity in isolation. They don’t account for whether a vulnerability is reachable in your application, whether an exploit exists in the wild, or whether compensating controls already reduce the practical risk. 

Relying on CVSS alone produces prioritization queues where teams spend time patching high-scoring vulnerabilities that pose no realistic threat, while genuinely exploitable findings wait.

Risk-based SBOM analysis provides context that CVSS alone can’t. 

The CISA Known Exploited Vulnerabilities catalog identifies CVEs with confirmed exploitation in the wild, making it a practical filter for separating theoretical risk from active threat. EPSS (Exploit Prediction Scoring System) adds a probability dimension, estimating the likelihood that a given CVE will be exploited in the next 30 days. 

Together, these signals let teams build remediation queues organized around actual risk rather than raw severity scores.

Reachability analysis adds another layer of precision. Where VEX records human judgment about exploitability, reachability analysis builds a call graph that traces whether vulnerable functions are actually invoked anywhere in your code. Some industry analyses suggest that reachability filtering can significantly reduce SCA noise, often by deprioritizing a large share of findings that are unreachable in the application context. Combining VEX, reachability data, KEV, and EPSS turns SBOM analysis from a noise generator into a remediation queue short enough to act on.

Regulatory mandates shaping SBOM analysis requirements

The regulatory landscape for SBOM analysis has shifted substantially and continues to tighten. Three frameworks are driving the most immediate compliance requirements, and for most DevSecOps teams, at least one of them already applies:

FrameworkWho it affectsKey SBOM requirementTimeline
CISA 2025 SBOM Minimum ElementsOrganizations selling software to US federal agenciesSBOM completeness and analysis capability as part of procurement evaluationIn effect 2025
EU Cyber Resilience Act (CRA)Manufacturers of connected products sold in European marketsDocument all software components, monitor for vulnerabilities, and issue updates when new CVEs are discoveredReporting obligations from Sept. 11, 2026; main obligations from Dec. 11, 2027
PCI DSS 4.0.1
Organizations that store, process, or transmit payment card data

Maintain an inventory of bespoke/custom software and third-party components to support vulnerability and patch management
Required as of March 31, 2025
NIST SSDF
Organizations aligning with secure software development guidance, especially federal suppliers

Encourages secure software supply chain practices, including SBOM use for transparency and vulnerability management
Guidance/framework

The common thread across all three is that SBOM generation alone isn’t enough. SBOM analysis is what generates the evidence trail these frameworks require. 

Teams building toward secure SBOM compliance need tooling that produces compliance-ready output as a natural byproduct of the analysis process, rather than as a separate reporting step.

How Kiuwan Insights supports SBOM analysis

SBOM analysis at scale requires automation that keeps pace with development speed. Manual processes can’t maintain continuous CVE monitoring across hundreds of components and dozens of builds per week. 

Kiuwan Insights is built to handle the analysis layer automatically, integrating SBOM generation and continuous monitoring into the CI/CD workflows that DevSecOps teams already run.

Here’s what Kiuwan Insights delivers for SBOM analysis:

  • One-click SBOM generation in CycloneDX format, ready for security analysis, regulatory submissions, and procurement requests
  • Continuous CVE monitoring that cross-references your component inventory against vulnerability databases such as NIST NVD, not just at the point of SBOM export.
  • License conflict detection that maps every open-source component to its license obligations and flags conflicts before they become legal issues
  • Transitive dependency analysis that surfaces risk hidden in the dependencies of your dependencies
  • CI/CD integration options for automated scanning and SBOM export across common DevOps workflows, including Jenkins, GitHub, GitLab, and Azure DevOps.
  • Software composition analysis that goes beyond inventory to assess the actual risk profile of your open-source components
  • Compliance-ready output that supports CISA minimum elements, EU CRA documentation requirements, and PCI DSS 4.0 audit trails

For DevSecOps teams navigating tightening regulatory requirements and growing software supply chain risk, SBOM analysis is the function that turns a static inventory into active security intelligence.

Request a Kiuwan trial
to see how continuous SBOM analysis integrates with your pipeline.

In This Article:

Request Your Free Kiuwan Demo Today!

Get Your FREE Demo of Kiuwan Application Security Today!

Identify and remediate vulnerabilities with fast and efficient scanning and reporting. We are compliant with all security standards and offer tailored packages to mitigate your cyber risk within the SDLC.

Related Posts

 A Guide to Automated Vulnerability Remediation

 A Guide to Automated Vulnerability Remediation

It has become easier to detect vulnerabilities in modern development environments. SAST tools, SCA scanners, and cloud-native security platforms help organizations surface thousands of findings across their codebases. Unfortunately, detection…
Read more
SBOM Analysis A Complete Guide for DevSecOps Teams
© 2026 Kiuwan. All Rights Reserved.