Software Bill of Materials (SBOM)¶
Permission Assist includes a machine-readable Software Bill of Materials (SBOM) for each product version. The SBOM is a standardized inventory of the third-party libraries and components that make up the application — the software equivalent of a product label — and is available for direct download within the product.
Why this matters for financial institutions¶
Financial institutions are increasingly expected to demonstrate that they understand the software supply chain of every vendor they rely on. During vendor due diligence, security questionnaires, and RFP responses, examiners and internal risk committees commonly request SBOM data to assess a vendor's security posture.
Permission Assist provides this data in machine-readable formats so your security team can run it through your existing vulnerability management tools immediately — without waiting for a manual response from Continuous.
Available formats¶
Permission Assist provides the SBOM in two industry-standard formats:
| Format | Standard | Best for |
|---|---|---|
| SPDX 2.3 | ISO/IEC 5962:2021 | Regulatory compliance reporting, legal review |
| CycloneDX 1.5 | OWASP specification | Vulnerability scanning, Dependency-Track, Snyk, Vanta |
Both files contain the same dependency inventory. The format you choose depends on which tooling your security program uses.
What the SBOM contains¶
The SBOM covers all third-party libraries used in production builds of Permission Assist, organized into two categories:
- .NET (NuGet) packages — server-side libraries included via NuGet
- JavaScript libraries — client-side libraries bundled with the application
For each component, the SBOM includes the package name, version, declared license, and a package URL (purl) that vulnerability scanners use to look up known CVEs.
Internal Continuous packages (prefixed Sycorr.*) are excluded — the SBOM covers only third-party dependencies.
How it relates to the component list in About¶
When you open the About Permission Assist window (go to the Help menu - ? - and select About Permission Assist) in Permission Assist, the component list displayed on screen is generated directly from the SBOM file. It shows the same inventory in a human-readable table — there is no separate source of truth.
Related topics: