CRA Hub/Product SBOM & VEX

Product SBOM & VEX

Open-source CLI tooling for generating the two artifacts the EU Cyber Resilience Act requires you to hand to auditors.

View on GitHub

What is this?

CRA-CLI is a Python command-line tool that takes the per-component SBOMs your build pipeline already produces, merges them into a single product-level SBOM, and then generates a CSAF 2.0 VEX document by running a vulnerability scan and applying your triage rules. The two output files are exactly what the CRA requires you to provide to market surveillance authorities.

Build SBOMs vs. product SBOMs

Tools like Syft or the sbom action in your CI pipeline generate a build SBOM: a snapshot of the dependencies in one component at one point in time. That is useful for developers, but it is not what the CRA asks for.

The CRA requires a product SBOM, a single document that covers every software component in a product regardless of which build produced it. Firmware, a backend service, a frontend, and any bundled libraries all need to appear together, with their shared dependencies deduplicated and their identifiers kept distinct. A build SBOM from any one of those components cannot serve that role on its own.

Why VEX is also required

An SBOM lists what is in your product. A VEX document tells authorities what you have done about each known vulnerability. The CRA treats both as mandatory evidence of conformity: the SBOM proves you have visibility, and the VEX proves you have assessed and acted.

Without a VEX, a CVE appearing in your product SBOM has no stated status. Authorities cannot tell whether you are unaware of it, investigating it, or have already determined it does not affect you. CRA-CLI generates a CSAF 2.0 VEX that captures that triage in a machine-readable format auditors can verify.

How it works

Aggregate — run cra aggregate with a config file listing your component SBOMs. The tool merges them into product.spdx.json, handling namespace isolation and deduplication automatically.

VEX — run cra vex pointing at the product SBOM. Trivy scans it, your triage rules from a Markdown table are applied, and the output is vex.csaf.json ready for submission.

Validate your product SBOM

Once you have run cra aggregate, upload the output product.spdx.json to the SBOM Visualizer to inspect component counts, dependency relationships, and metadata before submitting to auditors.

Open SBOM Visualizer

The tool is open source under the Apache-2.0 license. You can use it standalone or as the foundation for Prismor's automated compliance pipeline.

View source and documentation on GitHub

How Prismor Helps with CRA Compliance

Prismor is the only platform that combines deep regulatory expertise with automated security tooling, so your team can meet EU CRA requirements without manual overhead.

Vulnerability Fixes

Automatically detect and fix known CVEs across your entire dependency tree, no manual patching required.

SBOM & VEX Generation with Compliance Reporting

Produce CycloneDX and SPDX-compliant SBOMs and VEX documents automatically on every build, with audit-ready reports aligned to EU CRA.

Software Supply Chain Monitoring

Continuous monitoring of your software supply chain with real-time alerts on new vulnerabilities and dependency changes.

Try Prismor for CRA ComplianceSee Interactive Demo