SBOM Quality & VEX Readiness Checklist
An SBOM is only as valuable as it is complete, identifiable, and paired with VEX. Run this checklist before every release — not just at submission.
1. Format & Machine Readability
Reviewers and hospital tools must be able to ingest the SBOM automatically.
2. Component Depth
An SBOM that stops at top-level packages is not enough.
3. Identity & Provenance
Each component must be uniquely identifiable.
4. Vulnerability & VEX Pairing
Pair the SBOM with VEX so the world knows which CVEs actually apply.
5. Lifecycle & Distribution
An SBOM is a living artifact, not a one-time deliverable.
Frequently asked questions
Quick answers to the questions teams most often ask about this topic.
A high-quality SBOM is machine-readable (CycloneDX or SPDX), schema-valid, lists transitive dependencies and embedded OS components, identifies every component with a PURL or CPE, includes supplier and license, attaches cryptographic hashes for binary artifacts, and is digitally signed.
VEX (Vulnerability Exploitability eXchange) is a companion document that states, per CVE, whether your product is affected, not affected, fixed, or under investigation, with justifications. Without VEX, customers and regulators must assume every CVE in your SBOM applies, which generates noise and false escalations.
An SBOM should be regenerated for every released build of the firmware or software. VEX should be refreshed on a defined cadence and immediately when a new CVE materially changes the exploitability of a component.
Yes, increasingly. Health Delivery Organizations (HDOs) use SBOMs to assess procurement risk, drive MDS2 conversations, and accelerate response when industry-wide vulnerabilities (such as Log4Shell) emerge. Devices with retrievable, high-quality SBOMs clear procurement faster.