SBOM Analysis Service (CycloneDX)

ThunderShield analysts generate a CycloneDX 1.6 software bill of materials from your source code, match components against NVD and GitHub Advisory vulnerabilities, classify license risk, and deliver a signed Traditional-Chinese PDF report. Your source code is never retained.

SBOM Analysis Process

ThunderShield's analyst-driven process for producing a CycloneDX 1.6 SBOM with vulnerability and license-risk analysis

  1. Provide source code:Send a ZIP archive of the project, ideally with dependency lockfiles (package-lock.json, poetry.lock; packages.lock.json for .NET)
  2. SBOM generation:Analysts generate a CycloneDX 1.6 bill of materials in an isolated environment — code is never executed and no package restore is performed
  3. Vulnerability & license analysis:Components are matched against NVD and GitHub Advisory databases, and every license is classified for risk
  4. Risk scoring & reporting:A severity-weighted 0–100 risk score, the most severe CVEs, and remediation guidance are compiled into a Traditional-Chinese PDF report plus CycloneDX JSON
  5. Source deletion & re-scan:Source code is deleted immediately after the scan; post-remediation re-scans compare component and vulnerability drift

Frequently Asked Questions

What is an SBOM and why does my organization need one?

A Software Bill of Materials is a standardized inventory of every open-source and third-party component, version, and dependency in your software. With an SBOM, you can immediately assess your exposure when the next Log4Shell-class vulnerability breaks, and it is the baseline document customers and supply-chain partners increasingly require.

What do I need to provide for an SBOM analysis?

A ZIP archive of your project source code. We recommend including dependency lockfiles (package-lock.json, poetry.lock, etc.); for .NET projects, include packages.lock.json for complete resolution. Your code is never executed and no package restore is performed during analysis.

Is my source code retained after the scan?

No. Source code is held in an isolated environment only for the duration of the scan and is deleted immediately afterward, whether the scan succeeds or fails. Only the analysis results and report are kept.

What format is the SBOM delivered in, and which languages are supported?

The SBOM is delivered as standard CycloneDX 1.6 JSON, ready to share with customers or import into other security tools. Scanning covers mainstream ecosystems (JavaScript, Python, Java, Go, .NET, and more), with vulnerabilities matched against the NVD and GitHub Advisory databases.

What does the analysis report include?

The Traditional-Chinese PDF report includes a 0–100 risk score, the most severe Critical/High CVEs with CVSS scores, license-risk classification, the full component inventory, and remediation recommendations, with analyst signature fields — plus the CycloneDX JSON export. After remediation, a re-scan compares component and vulnerability drift against the previous scan.

Contact ThunderShield for a consultation · View pricing plans