CERT-In SBOM Mapper
This project is created to help generate a Software Bill of Materials (SBOM) compliant with the CERT-In technical guidelines. The guideline mandates the following elements included in the SBOM:
- Component Name
- Component Version
- Component Description
- Hashes
- Vulnerabilities
- Criticality
- Timestamp
- Unique Identifier
- Component Origin
- Component Dependencies
- Patch Status
- Release Date
- End-of-Life Date
- Usage Restrictions
- Comments or Notes
- Component Supplier
- Executable Property
- Archive Property
- Structured Property
- External References
For detailed guidelines, refer to the official CERT-In document:
Technical Guidelines on SBOM by CERT-In
While exploring few paid and open-source tools, we found it does not fully satisfy all the minimum elements required by the CERT-In guideline. This tool serves as an addon to existing SBOM generators by adding all missing fields and enables exporting the augmented SBOM in CycloneDX and Excel formats.
- Upload tool-generated CycloneDX SBOM files
- Edit and complete missing mandatory fields as per CERT-In guidelines
- Export the updated SBOM in CycloneDX JSON and Excel formats for compliance
- Background auto-population for CERT-In properties (Patch Status, Release Date, Criticality, etc.)
- Node.js (v14 or newer recommended)
- npm package manager
- Cyclonedx file v1.5
Optional but recommended:
- Create a
.envfile at project root (see below)
- Clone this repository:
git clone https://github.com/surajkum4r/CERT-In-SBOM-Mapper - Navigate into the project directory:
cd cert-in-sbom-mapper - Install dependencies:
npm install - Start the development server:
npm start - Open http://localhost:3000 in your browser.
# Enable fetch debug (alerts/logs) while testing
REACT_APP_DEBUG_FETCH=0
# Optional GitHub token; if not set, GitHub is skipped entirely
# REACT_APP_GITHUB_TOKEN=ghp_xxx
Notes:
- GitHub is only used for enrichment (stars, forks, repo license) and as a fallback for Release Date; skipping it does not affect Patch Status/Criticality.
- Set
REACT_APP_DEBUG_FETCH=1while testing to see background fetch alerts and logs.
- Export SBOM file from any SCA tool and upload it to OWASP Dependency Track.
- Export CycloneDX SBOM file and import into CERT-In SBOM Mapper.
- Upload your tool-generated CycloneDX SBOM file.
- The app auto-populates CERT-In properties in the background (batching to avoid rate limits).
- Review and optionally edit any fields.
- Export the SBOM as JSON, CSV or Excel.
- Patch Status: via OSV (fixed versions) and registry latest version.
- Examples:
Update available (>= 2.8.9),Update available (latest 1.2.3),Up to date.
- Examples:
- Release Date: from package registries (npm/PyPI/Maven); GitHub created_at as fallback when token is set.
- Criticality: highest of:
- SBOM
vulnerabilities[].ratings[].severitymatched byaffects[].ref→ componentbom-ref - OSV CVSS score mapping
- Count-based fallback (if needed)
- SBOM
- End-of-Life Date: from
endoflife.datefor known products (nodejs, python, java). Library EOL is usually not published.
- OSV may not always return severity or fixed versions immediately for new advisories; in such cases Criticality may be Unknown and Patch Status may show
Update available (>= NA). - endoflife.date publishes product/platform EOL, not library EOL. Many Maven libraries legitimately have no EOL.
- GitHub calls are skipped if no token is set, to avoid 401/429 rate limits.
- Background fetching is batched; large SBOMs can take time to complete.
- Additional ecosystems and data sources (NuGet, Maven SCM parsing improvements)
- Support for additional SBOM formats
You can run CERT-In SBOM Mapper using Docker for easy setup and deployment.
git clone https://github.com/surajkum4r/CERT-In-SBOM-Mapper.git
cd cert-in-sbom-mapper
docker build -t cert-in-sbom-mapper .
docker run -p 3000:3000 cert-in-sbom-mapper
This will start the application and expose it on http://localhost:3000.