> ## Documentation Index
> Fetch the complete documentation index at: https://learn.nextedy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Supply Chain Security

> Software Bill of Materials, third-party component management, and vulnerability scanning for Nextedy products.

export const LastReviewed = ({date}) => {
  if (!date) return null;
  const formatted = new Date(`${date}T00:00:00Z`).toLocaleDateString("en-US", {
    year: "numeric",
    month: "long",
    day: "numeric",
    timeZone: "UTC"
  });
  return <p className="mt-10 text-sm text-gray-400 dark:text-zinc-500 not-prose">
      Last reviewed on {formatted}
    </p>;
};

## Software Bill of Materials (SBOM)

Nextedy maintains a complete inventory of all third-party components included in its products. The SBOM is available in two industry-standard formats:

| Format        | Standard              | Use Case                                                    |
| ------------- | --------------------- | ----------------------------------------------------------- |
| **CycloneDX** | OWASP CycloneDX       | Preferred for vulnerability management and security tooling |
| **SPDX**      | Linux Foundation SPDX | Preferred for license compliance and regulatory submissions |

The current SBOM tracks **52 third-party components**, including open-source libraries, OSGi framework dependencies, and utility packages.

## Continuous Vulnerability Scanning

All third-party dependencies are continuously monitored using Snyk. The scanning process:

1. **Automated scanning** — Every build triggers a dependency scan against the Snyk vulnerability database.
2. **Alert routing** — New vulnerabilities are flagged immediately and routed to the security team.
3. **Triage** — Each finding is assessed for exploitability in the context of the Polarion product environment.
4. **Remediation** — Critical and high findings are patched according to the [incident management SLAs](/overview/security-and-privacy/incident-management). Lower-severity findings are addressed in the next scheduled release.

**Current status:** 0 high or critical vulnerabilities across all tracked dependencies.

## FOSS and COTS Reporting

For each third-party component, Nextedy tracks:

* **Component name and version**
* **License type** (e.g., Apache 2.0, MIT, EPL)
* **Known vulnerabilities** (from Snyk and NVD databases)
* **Usage context** (what the component is used for in the product)

This information supports customer procurement processes and regulatory submissions where a full software composition analysis is required.

## Release Security Gate

Every Nextedy release passes through a security gate before publication:

1. **SAST scan** — SonarQube analysis must show 0 critical findings.
2. **Dependency scan** — Snyk scan must show 0 high or critical vulnerabilities.
3. **SBOM generation** — Updated CycloneDX and SPDX documents are produced.
4. **Review** — The security team signs off on the scan results and SBOM accuracy.

A release is blocked if any critical or high security finding remains unresolved.

## Relevance for Regulated Industries

Supply chain transparency is a regulatory requirement in several industries where Nextedy products are deployed:

* **Automotive** — ISO/SAE 21434 requires cybersecurity management of third-party software components. UNECE WP.29 R155 mandates supply chain risk management.
* **Aerospace** — DO-178C and DO-330 require identification and verification of COTS and reusable software components.
* **Medical devices** — IEC 62304 requires documentation of SOUP (Software of Unknown Provenance) components with risk assessment.

Nextedy's SBOM and continuous scanning process provide the evidence needed to satisfy these requirements.

<Info>
  SBOM documents in CycloneDX and SPDX formats are available on request. Contact [security-alerts@nextedy.com](mailto:security-alerts@nextedy.com) to obtain the latest SBOM for your Nextedy product version.
</Info>

<LastReviewed date="2026-07-08" />
