Your bill of materials, audited
Method
Paste or upload a CycloneDX or SPDX SBOM. It is parsed in your browser and scored against the EU Cyber Resilience Act Annex I minimums for format and completeness. Nothing is uploaded.
Parsed entirely in your browser — nothing is uploaded. Your SBOM never leaves this machine. Scoring runs live as you type.
Upload, paste, or load the sample to see a readiness score. The CRA's Article 14 vulnerability-reporting obligations become enforceable September 11, 2026.
What is the EU Cyber Resilience Act?
The Cyber Resilience Act is an EU regulation that sets baseline cybersecurity requirements for products with digital elements sold into the EU — software and connected hardware alike. Among its obligations are vulnerability handling and reporting, and the Article 14 vulnerability-reporting duties become enforceable on 11 September 2026. Underpinning all of it is the expectation that a manufacturer can produce a complete, machine-readable Software Bill of Materials for what they ship.
What a CRA-ready SBOM needs
Two things: it must be machine-readable in a recognised format — CycloneDX or SPDX JSON — and each component must carry complete metadata: a name, a version, a supplier or author, license information, a unique identifier such as a purl or CPE, and integrity hashes. This tool runs eight checks across those expectations and reports the share of components that satisfy each one.
A worked example
Imagine a CycloneDX file that lists every dependency with names, versions, identifiers, and licenses — but no supplier and no hashes. Six of eight checks pass, so it scores 75. Add a supplier for each component and SHA-256 hashes to the build output, and the same file scores 100. The gaps list tells you exactly which fields to populate to get there.
What is the EU Cyber Resilience Act and what happens on 11 September 2026?+
The Cyber Resilience Act (CRA) is an EU regulation setting cybersecurity requirements for products with digital elements sold in the EU. Its phased obligations include vulnerability handling and reporting: the Article 14 vulnerability-reporting duties become enforceable on 11 September 2026. A complete, machine-readable SBOM is a foundational expectation behind those duties.
What must an SBOM contain to be CRA-ready?+
At minimum, a machine-readable inventory of every component with: a name, a version, a supplier or author, license information, a unique identifier (such as a purl or CPE), and integrity hashes. This tool scores each of those against the components in your file.
CycloneDX or SPDX — which should I use?+
Both are widely recognised, machine-readable SBOM formats accepted across the industry. CycloneDX is security-focused and common in CI/CD tooling; SPDX is an ISO standard often used for license compliance. The CRA does not mandate one over the other, and this tool reads either JSON format.
Does this scan my dependencies for vulnerabilities?+
No. This tool checks format and completeness only — whether your SBOM is well-formed and whether each component carries the metadata the CRA expects. It does not look up CVEs or assess whether any component is vulnerable. Use a dedicated scanner for that.
Is my SBOM file uploaded anywhere?+
No. Parsing and scoring happen entirely in your browser using JavaScript. Nothing is sent to a server, there are no network calls, and your file never leaves your machine.
What score counts as good?+
The score is the share of eight checks your SBOM passes. Field-level checks pass when at least ~90% of components carry the field. Aim for 100: any gap points to metadata you can add. A score in the 80s usually means one or two fields (often supplier or hashes) are missing across components.