SBOM Management#
FutureVuls provides the following SBOM features.
- Import SBOM files
- Vulnerability detection using imported SBOM files (Import Specifications)
- Export scan results in SBOM format
FutureVuls offers two methods for managing SBOMs: "Server SBOM" and "Application SBOM". The registration procedures and vulnerability scanning specifications differ for each, so please refer to "this page" for details on their differences.
Supported Environments#
The following shows the SBOM requirements supported by FutureVuls as of the end of May 2026.
Standard Specifications#
| Format | Supported Versions | Supported Formats |
|---|---|---|
| CycloneDX | v1.4 / v1.5 / v1.6 | JSON / XML |
| SPDX | v2.2 / v2.3 | JSON / tag:value / RDF |
Notes on Using the SPDX RDF Format
The SPDX RDF format is only partially supported, and files containing certain license information or custom properties may not be imported correctly.
When using the SPDX format, we recommend outputting in JSON format whenever possible.
SPDX v3 Support
Support for importing SBOMs written in the SPDX v3 specification is under consideration.
Generation Tools#
Any SBOM that conforms to the CycloneDX / SPDX standard specifications can be imported into FutureVuls.
In particular, FutureVuls performs its own analysis of SBOMs generated by the following tools, so you can import configuration information with guaranteed accuracy.
For SBOMs generated by tools other than these, the tool name is identified as Unknown, and the SBOM is parsed according to the standard specification.
| Officially Supported Tools | CycloneDX | SPDX |
|---|---|---|
| Vuls / FutureVuls | ✓ | ✓ |
| Trivy | ✓ | ✓ |
| Syft | ✓ | ✓ |
| Amazon Inspector | ✓ | ✓ |
| SBOM Tool | — | ✓ |
| CycloneDX Generator (cdxgen) | ✓ | — |
| cyclonedx-gradle-plugin | ✓ | — |
| FossID | ✓ | ✓ |
| BlackDuck (SCA feature) | ✓ | ✓ |
About Unsupported Tools
Starting with the May 2026 release, any SBOM that follows the standard specification can be imported into FutureVuls for vulnerability management.
If you would like a new SBOM generation tool to be officially supported—for example, "the information is not being imported correctly, and I want it imported with better accuracy"—please send us a feature request via Zendesk.
Usage Examples#
Scan results from imported SBOMs can also be utilized in the following features, which are shared with other scanning methods.
- Library EOL management: Software Details > EOL / Cross-Group Set Library EOL Search
- OSS license management: Display OSS Licenses / Cross-Group Set GPL-family OSS License Search
- Malicious package investigation: Software Details > Malicious Packages / Cross-Group Set Malicious Package Search
- Ransomware exploitation check: Feature to check if vulnerabilities are being used in ransomware
Conclusion#
FutureVuls continuously enhances its SBOM-related features based on legal regulations and user needs. Please send us your requests via Zendesk.