Skip to main content

Software Bill of Materials (SBOM)

Nextedy maintains a complete inventory of all third-party components included in its apps. The SBOM is available in two industry-standard formats:
FormatStandardUse Case
CycloneDXOWASP CycloneDXPreferred for vulnerability management and security tooling
SPDXLinux Foundation SPDXPreferred for license compliance and regulatory submissions
The current SBOM tracks 52 third-party components, including open-source libraries, OSGi framework dependencies, and utility packages.

Continuous Vulnerability Scanning

All third-party dependencies are continuously monitored using Snyk. The scanning process:
  1. Automated scanning — Every build triggers a dependency scan against the Snyk vulnerability database.
  2. Alert routing — New vulnerabilities are flagged immediately and routed to the security team.
  3. Triage — Each finding is assessed for exploitability in the context of the Polarion app environment.
  4. Remediation — Critical and high findings are patched according to the incident management SLAs. Lower-severity findings are addressed in the next scheduled release.
Current status: 0 high or critical vulnerabilities across all tracked dependencies.

FOSS and COTS Reporting

For each third-party component, Nextedy tracks:
  • Component name and version
  • License type (e.g., Apache 2.0, MIT, EPL)
  • Known vulnerabilities (from Snyk and NVD databases)
  • Usage context (what the component is used for in the app)
This information supports customer procurement processes and regulatory submissions where a full software composition analysis is required.

Release Security Gate

Every Nextedy release passes through a security gate before publication:
  1. SAST scan — SonarQube analysis must show 0 critical findings.
  2. Dependency scan — Snyk scan must show 0 high or critical vulnerabilities.
  3. SBOM generation — Updated CycloneDX and SPDX documents are produced.
  4. Review — The security team signs off on the scan results and SBOM accuracy.
A release is blocked if any critical or high security finding remains unresolved.

Relevance for Regulated Industries

Supply chain transparency is a regulatory requirement in several industries where Nextedy Apps are deployed:
  • Automotive — ISO/SAE 21434 requires cybersecurity management of third-party software components. UNECE WP.29 R155 mandates supply chain risk management.
  • Aerospace — DO-178C and DO-330 require identification and verification of COTS and reusable software components.
  • Medical devices — IEC 62304 requires documentation of SOUP (Software of Unknown Provenance) components with risk assessment.
Nextedy’s SBOM and continuous scanning process provide the evidence needed to satisfy these requirements.
SBOM documents in CycloneDX and SPDX formats are available on request. Contact security-alerts@nextedy.com to obtain the latest SBOM for your Nextedy product version.