SBOM Health Analyzer
Paste or upload a CycloneDX or SPDX JSON file. Instantly see component ages, EOL status, known CVEs, and an overall health grade — 100% client-side.
Drop a .json file here or click to browse
Supports CycloneDX JSON and SPDX JSON
How It Works
Upload Your SBOM
Paste or upload a CycloneDX or SPDX JSON file. Your data never leaves the browser.
Map Components
Each component is matched to a trackable technology using name analysis and PURL type detection.
Get Health Grade
See health, EOL, and CVE badges for each matched component, plus an overall A–F grade for your stack.
Supported SBOM Formats
CycloneDX JSON
Versions 1.4 and above. Reads the components array with name, version, type, and purl fields.
SPDX JSON
Versions 2.2 and above. Reads the packages array with name, versionInfo, and externalRefs for PURL.
FAQ
Is my SBOM sent anywhere?
No. Your SBOM is parsed entirely in the browser. The only network requests are fetching ReleaseRun badge images to display health, EOL, and CVE status for matched components.
What SBOM formats are supported?
CycloneDX JSON (1.4+) and SPDX JSON (2.2+). The format is auto-detected from the JSON structure — bomFormat for CycloneDX, spdxVersion for SPDX.
How do you map components to technologies?
Components are matched by name against a curated technology map (e.g. “express” → Node.js, “django” → Django). PURL types are also used: pkg:npm/ maps to the Node.js ecosystem, pkg:pypi/ to Python, and so on.
What about components that aren't in your database?
Components that can’t be mapped to a trackable technology are listed in the results but not scored. The overall grade is based only on matched components.
Monitor your entire stack
Track releases, EOL dates, and CVEs for every technology in your SBOM — with embeddable badges for your README.