Skip to content
CRA Article 13(5) & Annex I Part II(1)

SBOM Management Built for the CRA

The CRA requires a machine-readable Software Bill of Materials for every product with digital elements. Complaro ingests CycloneDX and SPDX SBOMs, maps every component, and monitors for vulnerabilities continuously.

Upload Your SBOMHow to Generate an SBOM

What the CRA Requires for SBOMs

Article 13(5) — SBOM Provision

Manufacturers must identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product.

Annex I Part II(1) — Vulnerability Handling

Manufacturers must identify and document vulnerabilities and components, including their dependencies, by means of a software bill of materials. The SBOM must support the identification of known vulnerabilities throughout the product lifecycle.

Source: Regulation (EU) 2024/2847

Supported SBOM Formats

CDX

CycloneDX

JSON & XML

Maintained by OWASP. Optimized for security use cases with first-class VEX support, dependency graphs, and vulnerability correlation. Recommended for CRA compliance.

  • - Component name, version, purl, CPE
  • - Dependency graph relationships
  • - VEX statements
  • - License information
SPX

SPDX

JSON & Tag-Value

Maintained by the Linux Foundation. ISO/IEC 5962:2021 standard. Broader scope covering licensing, provenance, and supply chain metadata.

  • - Package name, version, download location
  • - External references (purls)
  • - License expressions
  • - File-level analysis

From Upload to Continuous Monitoring

1

Upload & Parse

Upload your CycloneDX or SPDX file. Complaro extracts every component: name, version, package URL, ecosystem, license, and type. Supports JSON, XML, and SPDX tag-value formats.

2

Component Analysis

Each component is resolved to its canonical package URL for precise matching. We map ecosystem identifiers (npm, PyPI, Maven, Cargo, Go) to ensure version comparison uses the correct algorithm — semver for JavaScript, PEP 440 for Python.

3

Vulnerability Matching

Components are continuously matched against OSV.dev (primary, ecosystem-aware), GitHub Security Advisories (fallback), and CISA KEV (actively exploited flagging). Ecosystem-aware version comparison eliminates the false positives common with NVD keyword matching.

4

Readiness Scoring

Your CRA readiness score is calculated across five dimensions: SBOM quality, vulnerability exposure, security practices, documentation, and incident readiness. Track your score over time and across products.

5

Alert & Report

When a new vulnerability affects your components — especially if it appears on the CISA KEV list — you are alerted immediately. ENISA Article 14 reports are pre-filled automatically.

Works with cra-scanner

Use our open source CLI tool to discover SBOMs in your repository, scan for vulnerabilities, and get a CRA readiness score — all from the command line.

# Install
$ pip install cra-scanner
# Scan a project
$ cra-scanner scan .
# Output
CRA Readiness Score: 72/100
SBOM: 35/40 | Vulnerabilities: 22/30 | Practices: 15/30
2 high severity vulnerabilities found
1 actively exploited (CISA KEV)

Upload Your First SBOM

Free for one product. No credit card required. See your CRA readiness score in seconds.

Get Started FreeTry cra-scanner CLI