Organize SBOM intake
Ingesting component lists needs a consistent approach. Keep CycloneDX or SPDX records cataloged by release version so vulnerability scanners can run on accurate inventories.
SBOM management checklist
Ensure your SBOM workflow covers these areas:
Automate SBOM generation in build pipelines.
Index files by product release version.
Verify schema and coordinate details.
Normalize component names.
Keep original uploads retained with source metadata.
Product alignment
How CRA Ledger maps this into a workflow
Product-version record
Released versions are anchored with metadata.
SBOM retained
Original formats are retained with source-artifact context.
Vulnerability review tracked
CVE triage decisions document ownership.
Remediation status connected
Fix updates and SLA tracking stay visible.
Decisions & timestamps preserved
Provenance is recorded for every decision.
Readiness evidence summarized
Evidence summaries keep output context reviewable.
Notice
Operational guidance only. Confirm product scope and CRA duties with official sources and advisers.
CRA Ledger supports readiness workflows and evidence organization. It does not guarantee compliance or replace legal advice.
Related resources