Practical guidance on CRA compliance, SBOM generation, and software supply chain security.
No UI, no heavyweight platform, just a local CVE ingestion pipeline in Postgres. More or less, this is how our system handles full weekly baseline syncs and hourly updates.
Read more →CVE, NVD, OSV, GHSA, RHSA, USN, PYSEC, RUSTSEC, and dozens more. Here's a practical model for how these systems fit together, why the ecosystem feels fragmented, and what the advisory prefixes actually mean in production data.
Read more →CycloneDX, SPDX, and SWID all describe software, but they solve different problems. If you're trying to meet CRA obligations, exchange SBOMs with customers, or standardize your software inventory, here's what each format is for and when to use it.
Read more →The EU Cyber Resilience Act's first real deadline hits September 11, 2026. From that date, you must report actively exploited vulnerabilities within 24 hours. If you don't have SBOMs and CVE monitoring in place, you can't comply. Here's what you need to know — and what your options are.
Read more →Getting "Component requires at least one valid identifier (PURL or CPE)" for @types/node or @angular/core? The @ sign in scoped npm packages must be percent-encoded as %40 in PURLs. Here's why, and how to fix it.
Read more →Your CycloneDX SBOM fails NTIA validation because of missing supplier fields. Here's exactly what those errors mean, where they come from, and how to fix them — with the CycloneDX 1.7 spec.
Read more →