SBOM Analysis & VEX Review -- CycloneDX 1.5 / SPDX 2.3 / VEX (CSAF) / NTIA Minimum Elements

Frameworks: CycloneDX 1.5 (OWASP), SPDX 2.3 (Linux Foundation / ISO 5962), VEX via CSAF 2.0 (OASIS), NTIA SBOM Minimum Elements Role: Security Engineer, AppSec Engineer Time: 20-40 min Output: SBOM completeness assessment, VEX status summary, dependency risk analysis, and license conflict report

When to Use

If a target is provided via arguments, focus the review on: $ARGUMENTS

Use this skill when an SBOM file (CycloneDX or SPDX format) is shared for review, when evaluating software supply chain risk for a vendor or internal application, when VEX documents need interpretation to determine actual exploitability, when assessing SBOM completeness for regulatory compliance (EO 14028, EU CRA), or when performing transitive dependency analysis for known vulnerabilities.

Do not use when: The task is triaging a specific CVE without SBOM context (use cve-triage), performing runtime vulnerability scanning (use scanner-tuning), or reviewing source code for security flaws (use secure-code-review).