SBOM & vulnerabilities
A software bill of materials (SBOM) lists the components inside an artifact. The CRA expects you to keep one; Meshanics lets you attach it per artifact and then uses it to answer the question that actually matters when a new CVE lands — which of my artifacts, and therefore which of my devices, contain the affected component?
Attaching an SBOM
Each artifact can carry its own SBOM in either of the two common formats, CycloneDX or SPDX. The platform detects the format from the document itself, so you upload the file your build already produces — no conversion step.
You can attach an SBOM when you publish an artifact, or add or replace one later in the artifact's lifecycle. Coverage is tracked as a ratio: the fraction of published artifacts that carry an SBOM. A later attach flips an artifact from uncovered to covered, and the audit log stays the source of truth for when it happened. Zero coverage reads as a gap rather than a false all-clear.
The platform reads the component list out of the SBOM, but it never inspects the payload itself — metadata only.
The vulnerability watch
A background scan runs across the SBOMs you have attached. It extracts each component and queries a public vulnerability database for known issues, then records a finding for every match. The scan runs on an interval and can also be triggered on demand. It is read-only with respect to your fleet: it changes nothing on devices, it only reports.
Each finding records the affected artifact and version, the component and its version, the ecosystem, the vulnerability identifier, a summary, and a severity.
Severity bands
Raw scores are normalised into one of five bands so you can rank and filter consistently. Numeric base scores and CVSS vectors are mapped using the standard qualitative ranges:
| Band | Score range |
|---|---|
| Critical | 9.0 – 10.0 |
| High | 7.0 – 8.9 |
| Medium | 4.0 – 6.9 |
| Low | above 0 to 3.9 |
| Unknown | no rateable score |
unknown is a first-class band — anything that cannot be confidently rated is
shown as unknown rather than hidden or guessed.
Triaging findings
A new finding is a draft. It starts no regulatory clock on its own — that is deliberate. From the console you can:
- Filter the list by artifact, version, severity, status, ecosystem or a free-text search.
- Read a posture summary: open / dismissed / promoted totals, an open-by-severity histogram, and a worst-first breakdown per artifact.
- Dismiss a finding that does not apply, or promote one that does.
Promoting a finding is how a vulnerability becomes a deadline-tracked incident. That hand-off is covered next. Every status change is written to the audit log, so the triage history itself is evidence.