Sonatype SBOM Manager

Sonatype SBOM Manager is a software bill of materials management platform that automates SBOM ingestion, monitoring, and compliance workflows. The platform supports CycloneDX and SPDX SBOM formats and provides continuous monitoring of first-party and third-party components for vulnerabilities, malware, and compliance gaps. The tool enables organizations to import and track SBOM inventory with full version history and traceability. It performs automated component scanning across multiple ecosystems, containers, AI models, commercial applications, hardware, and operating system components. The platform includes VEX (Vulnerability Exploitability eXchange) management capabilities for tracking vulnerability status and resolution throughout the software lifecycle. License management features include automated obligation workflows with actionable checklists for each component and license. The platform provides observed license detection across 13 ecosystems and maintains records of fulfilled open source license obligations. The solution offers policy-based compliance validations to meet organizational and regulatory standards including DORA, NIS2, PCI-DSS, CRA, SEBI, CERT-In, NZISM, and NIST SP 800-218. It includes dashboards for visualizing vulnerabilities, licenses, and policy violations across the software supply chain. AI governance capabilities allow inspection of AI components and Hugging Face models within SBOMs. The platform provides API-based automation for SBOM workflows and integrates with SDLC processes. Search functionality enables queries across vulnerabilities, AI models, licenses, and libraries for risk assessment.