One place for the full loop
Reports, live CVE lookup, and optional manifest → SBOM—all in-browser. The SBOM library is reference data you import—no one-click “analyze this catalog item.”
Six Report Views
One analysis produces tailored reports for Executive, Risk, Technical, Compliance, Procurement, and Legal stakeholders.
Explore reports →Real-Time CVE Intelligence
Live OSV.dev integration queries Google's Open Source Vulnerability database — no stale CVE snapshots, no third-party data fees.
How vulnerability data works →SBOM Generation
Upload a manifest; get CycloneDX 1.5 or SPDX 2.3. Verify against your own standard—don’t treat output as a certification artifact.
Supported formats →SBOM Library (reference)
Reference SBOMs (npm, PyPI, Maven, Go, Rust). You import by hand after download—good for what-if, not a procurement workflow yet.
Open the library in the app →Multi-Framework Compliance
Gap-style mapping to major frameworks; depth varies. Aids your pack—it isn’t a certification substitute or a substitute for counsel/audit.
See frameworks covered →Six Report Views
One analysis; depth scales from board summary to CVE line items.
! Key challenges
Executives need clear, business-language risk summaries — not raw CVE lists — to make strategic decisions and justify security investments.
- Understanding business impact of supply chain risks
- Translating technical vulnerabilities into financial exposure
- Justifying security investments to the board
- Demonstrating regulatory readiness to auditors
Executive Summary Report
Board-ready risk overview with key findings and strategic recommendations derived from the SBOM — no technical background required. Financial exposure figures are indicative estimates, not actuarial calculations.
Open in app- Overall risk posture and business impact summary
- Indicative financial exposure estimates (heuristic)
- Strategic remediation recommendations
- Regulatory compliance status at a glance
Real-Time CVE Intelligence
Live OSV.dev integration queries Google's Open Source Vulnerability database in real time. No stale CVE snapshots. No third-party data fees. No component data sent to our servers.
5 ecosystems
npm, PyPI, Maven, Go, Rust — all queried live via the OSV.dev API
CVSS v3.1 + v2
Full CVSS scoring including base, temporal, and environmental vectors
Zero data exposure
CVE queries are by package name + version only — your SBOM inventory never leaves your browser
Publicly verifiable
Every CVE finding links back to its source on osv.dev — independently verifiable, no proprietary scoring
SBOM Generation from Manifests
Don't have an SBOM? Upload any manifest file and TechnoSoluce generates a CycloneDX 1.5 or SPDX 2.3 SBOM in your browser. Outputs target standards compliance — review against your specific project and toolchain requirements.
Node.js / npm projects
Python / PyPI projects
Java / Maven projects
Go modules
Rust / Cargo projects
Accepts CycloneDX JSON/XML and SPDX JSON/RDF
CycloneDX 1.5 output
Generated SBOMs pass the official CycloneDX JSON schema validation without proprietary extensions. Includes components, vulnerabilities, and service definitions sections.
SPDX 2.3 output
Full SPDX 2.3 compliance — all required fields populated, SPDX identifiers assigned, relationship graph included. Passes SPDX spec validation.
NTIA minimum elements check
Generated SBOMs are checked against the NTIA minimum element fields. Missing or incomplete fields are flagged — review does not constitute NTIA certification or regulatory attestation.
SBOM Library (reference catalog)
Reference SBOMs from widely used open-source packages, organized by category. Important: the app does not preload a library SBOM straight into your current analysis session. You typically download or export a baseline and re-import it to run analysis — a manual, higher-friction workflow. Suitable for exploration and rough comparisons; not a replacement for vendor-provided SBOMs or a seamless procurement baseline tool yet.
Browse by application category
Packages are grouped by application type to help you find references. Finding an entry is only the first step — you still need to import the SBOM into the analyzer separately.
5 ecosystems covered
SBOMs sourced directly from official registries: npm, PyPI, Maven Central, pkg.go.dev, and crates.io — verified metadata, no third-party intermediaries.
- npm (JavaScript / TypeScript)
- PyPI (Python)
- Maven Central (Java / JVM)
- pkg.go.dev (Go)
- crates.io (Rust)
Honest limits
Expect download/export-and-reload steps rather than one-click “analyze this baseline.” Coverage is curated, not complete for every package version. Use for orientation and demos; validate critical decisions against primary sources and vendor SBOMs.
Open library in appMulti-Framework Compliance Mapping
Gap analysis mapped to eight frameworks — each gap cites the specific control clause and the relevant component in your SBOM. These are tool-generated indicators, not regulatory certifications.
All seven minimum elements validated: supplier, component, version, unique ID, dependency relationships, author, timestamp.
All five CSF functions: Identify, Protect, Detect, Respond, Recover — plus C-SCRM controls from SP 800-161 Rev. 1.
Supply chain security controls from Annex A — mapped to specific SBOM components and evidence narratives.
SPDX 2.3 and CycloneDX 1.5 field completeness scoring — outputs validate against published schemas without extensions.
Software risk mapping for healthcare organizations required to protect ePHI transmission and storage.
Secure software development and supply chain risk management requirements for payment card environments.
Software supply chain practices for DoD contractors handling CUI — mapped to NIST SP 800-171 controls.
System and Services Acquisition + System and Information Integrity controls for federal cloud authorization.
All of this runs in your browser
All analysis runs in your browser — SBOM inventory, CVE queries, risk scoring, and report generation. Only package name and version leave your device for OSV lookups. See our Trust page for the full picture.