SBOM Diff & VEX Drafter

Paste your previous and current SBOMs. Get the component delta, KEV-relevant hot-spots, and a CycloneDX VEX stub ready for the not-affected dispositions reviewers expect.

Paste two SBOMs → component delta + VEX stub

• Supports SPDX tag-value, SPDX JSON, and CycloneDX JSON inputs (mixed is fine).
• Flags components historically associated with KEV-listed vulnerabilities so triage starts in the right place.
• Generates a CycloneDX 1.5 VEX stub with not-affected dispositions you can edit and publish alongside your release.
• Designed for release-over-release SBOM hygiene the FDA expects under §524B postmarket maintenance.

What teams usually get wrong

• Myth: A new SBOM each release is enough.

  Reality: Reviewers and customers care about deltas. Why did this component appear, why did this version bump, and what's the VEX disposition for newly surfaced CVEs?

• Myth: VEX is a one-time document.

  Reality: VEX evolves with each release. The expectation is a VEX stream - not a static file.

• Myth: If a component isn't on KEV it doesn't matter.

  Reality: KEV is a floor, not a ceiling. EPSS, vendor advisories, and your own threat-model context all feed the disposition.

Primary sources behind this tool

1. CycloneDX VEX specification - OWASP CycloneDX
2. CISA Known Exploited Vulnerabilities (KEV) - CISA
3. FIRST EPSS - FIRST
4. FDA Cybersecurity in Medical Devices - SBOM expectations - FDA

Where to take this next.