Most manufacturers discover SBOM gaps during their first compliance review, not before it. By then, the enforcement deadline is closer and the remediation scope is wider. The CRA's Annex I SBOM obligation is simple to state: machine-readable format, top-level dependencies as a minimum, stored in your Annex VII technical file. What trips manufacturers up is the phrase "at the very least". This article covers six mistakes that create the widest gap between a formal SBOM and one that would survive a market surveillance authority audit.
Summary
- Stopping at direct dependencies leaves transitive vulnerabilities outside the SBOM
- An SBOM created once becomes stale within weeks as new CVEs are published
- Missing hash values and PURL identifiers fail BSI TR-03183 quality checks
- Manual SBOM creation does not satisfy the CRA's ongoing update obligation
- Internal and proprietary components must appear alongside open-source libraries
- Supplier SBOMs are raw material, not a finished compliance artefact
Mistake at a glance
| # | Mistake | Why it fails | Fix |
|---|---|---|---|
| 1 | Stopping at direct dependencies | Transitive CVEs invisible to scanners | Lock files plus built-artefact scanning |
| 2 | Treating SBOM as one-time | Stale within weeks of new CVEs | CI/CD generation per build |
| 3 | Missing identity fields | No CVE matching, TR-03183 fails | Exact version, SHA-256, PURL, supplier |
| 4 | Manual generation | Cannot keep pace with releases | Syft, Trivy, or cdxgen automation |
| 5 | Skipping internal or proprietary components | Annex I draws no such distinction | Internal IDs, self as supplier, SHA-256 |
| 6 | Treating supplier SBOMs as final | Manufacturer owns the Annex I obligation | Consolidate into one product SBOM |
Mistake 1: stopping at direct dependencies
Annex I, Part II, point (1) sets the legal floor at top-level dependencies. Many manufacturers stop exactly there. The problem is not meeting the legal minimum. The problem is the risk that the minimum leaves outside your visibility. A transitive dependency (a library your direct dependency depends on) is just as exploitable as a direct one. When a CVE is published against a transitive package your SBOM does not list, you cannot match it, cannot report it, and are exposed without knowing it.
Your product
+-- Library A (direct) ← legal minimum, Annex I floor
| +-- Library B (transitive) ← outside SBOM, invisible to vulnerability scanners
| \-- Library C (transitive) ← outside SBOM, invisible to vulnerability scanners
\-- Library D (direct) ← legal minimum, Annex I floor
The fix is tooling and configuration. Use lock files and scan built artefacts rather than source only. Trivy, Syft, and cdxgen all support transitive dependency capture when configured correctly. BSI TR-03183 treats full transitive coverage as the quality indicator that separates a minimum-compliant SBOM from a genuinely useful one. See BSI TR-03183 quality levels for the field requirements at each tier.
Mistake 2: treating the SBOM as a one-time document
An SBOM generated once and never updated creates a false sense of security. New CVEs are published daily against components already in your product. An SBOM that was accurate at build time becomes stale within weeks. The CRA's Annex I obligation is ongoing: the SBOM must reflect the current state of the product throughout the support period.
Mandatory update triggers under the CRA:
| Trigger | What changes | SBOM update required? |
|---|---|---|
| New firmware or software version | New build artefact | Yes, full regeneration |
| Security patch applied | Component version bumped | Yes, affected components |
| Vulnerability discovered and addressed | VEX or exploitability status | Yes, VEX fields |
| Component added, removed, or replaced | Dependency graph | Yes, full regeneration |
| Design change affecting security | Components and architecture | Yes, full regeneration |
The fix is CI/CD integration. Every build should produce a current SBOM artefact stored alongside the release. A manual export cannot keep pace with the update frequency the CRA requires. See CRA SBOM requirements for the full list of triggers and the 10-year retention clock.
From 11 September 2026, you must report actively exploited vulnerabilities to ENISA within 24 hours. A stale SBOM means you cannot determine whether your product is affected before the clock starts. You need current component data before the incident, not after it.
Mistake 3: missing identity fields
An SBOM without accurate version, hash, and identifier fields is nearly useless for vulnerability matching. These fields connect a component entry to a CVE record in the National Vulnerability Database (NVD), OSV, or CISA KEV. Without them, vulnerability scanners cannot match against your components, and BSI TR-03183 quality checks will fail.
Every component must include:
| Field | Why it matters | Source |
|---|---|---|
| Exact version number | Required for CVE/NVD/OSV matching (not "latest" or ranges) | Annex I; TR-03183 mandatory |
| SHA-256 hash | Integrity verification for binary components | TR-03183 mandatory |
| PURL identifier | Links the component to its registry record | TR-03183 mandatory |
| Supplier name | Required at every quality level | Annex I; TR-03183 |
A common version mistake is using CycloneDX 1.3 or earlier. Core VEX support was added in CycloneDX 1.4 (January 2022), and the richer component evidence structure (identity, occurrences) used to demonstrate CRA traceability arrived in 1.5 (June 2023). Target CycloneDX 1.6 or later for CRA conformity. Check your tool's output version before assuming compliance.
Mistake 4: generating SBOMs manually
Manual SBOM creation is error-prone and does not scale across product versions. A hand-crafted SBOM misses components automated tools would find, contains typos in version strings, and cannot be regenerated reliably when a component changes. More critically, a manual process cannot satisfy the CRA's ongoing update obligation: every release, every patch, and every component change requires an updated SBOM.
Automate generation with Syft, Trivy, or cdxgen. Manual entries should be reserved for components that automated tools cannot detect, such as commercial libraries without package database entries or proprietary firmware blobs. Everything else should come from the build. Market surveillance authorities can request the SBOM at any time; it must reflect the current product state.
Mistake 5: ignoring internal and proprietary components
A common shortcut is to document only open-source dependencies and omit internal libraries, proprietary modules, or firmware blobs. Annex I draws no such distinction. If a component is in the product, it belongs in the SBOM.
Internal components often have no PURL or registry entry. The correct approach is to assign an internal identifier, list your own organisation as the supplier, and include the SHA-256 hash of the binary artefact. BSI TR-03183 explicitly covers proprietary components at all quality levels.
For products with embedded firmware from an ODM or chip vendor, you cannot audit what you did not build. The fix is contractual: require SBOM delivery from your firmware suppliers. Under the CRA, you are responsible for the full product regardless of who wrote the code. For hardware-software products, see HBOM under the CRA for when a Hardware Bill of Materials is needed alongside the SBOM.
Mistake 6: relying on supplier SBOMs as the finished artefact
Supplier SBOMs are a valid input, and the CRA expects manufacturers to use upstream documentation. They are not a substitute for an integrated product SBOM. The Annex I obligation sits on the manufacturer of the product placed on the EU market: you must consolidate supplier SBOMs with your own first-party components, build dependencies, and glue code into a single SBOM for the integrated product.
If a supplier SBOM is missing fields required by BSI TR-03183 (PURL, hash, licence), you are responsible for filling those gaps before your product ships. Treat supplier SBOMs as raw material. Your product SBOM is the finished compliance artefact.
Frequently asked questions
Can I reuse SBOMs from my suppliers to satisfy the CRA?
Partially. Supplier SBOMs are a valid input for the components they ship, and the CRA expects manufacturers to leverage upstream documentation rather than reinvent it. But the obligation under Annex I sits on the manufacturer of the product placed on the EU market: you must produce and maintain an SBOM for the integrated product, which means consolidating supplier SBOMs with your own first-party components, your build dependencies, and any glue code. If a supplier SBOM is missing fields required by BSI TR-03183 (PURL, hash, licence), you are responsible for filling those gaps before your product ships. Treat supplier SBOMs as raw material, not as a finished compliance artefact.
What is the legal minimum for SBOM dependency coverage under the CRA?
Annex I, Part II, point (1) sets the floor at top-level dependencies. The official text reads: "identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products." This means direct dependencies are the legal minimum. Transitive dependencies are not legally required but are strongly recommended as best practice: they are what vulnerability scanners actually need to match CVEs accurately, and BSI TR-03183 counts transitive coverage as a quality indicator.
Does an SBOM need to be updated with every patch release?
Yes. Every security patch release is a mandatory SBOM update trigger under the CRA. The technical file, which includes the SBOM, must stay current throughout the product lifecycle. If you patch a vulnerable component, your SBOM must reflect the new version. Automate SBOM generation in CI/CD so that patch releases produce an updated SBOM artefact automatically, without a manual step that can be missed under deadline pressure.