Software Bill of Materials (SBOM) generation is a critical requirement under the EU Cyber Resilience Act.
The CRA Compliance Suite makes SBOM creation effortless with automated tools designed specifically for WordPress plugin developers. Whether you’re managing a single plugin or an entire portfolio, our tools ensure you meet all CRA documentation requirements.
What Is an SBOM and Why Does It Matter?
An SBOM is a comprehensive, machine-readable inventory of all components, libraries, and dependencies in your WordPress plugin.
Think of it as a detailed ingredients list for your software, documenting every third-party library, framework, and code component that makes your plugin function. Under the CRA, every digital product sold in the EU must maintain an accurate, up-to-date SBOM that enables regulators, security researchers, and enterprise users to understand exactly what software components are present and assess their security posture.
The transparency enabled by SBOMs is critical for modern software security management.
When a security vulnerability is discovered in a widely-used library like a JSON parser, HTTP client, or cryptographic library, SBOMs allow you to immediately determine if your plugin is affected without manual code review or dependency analysis. This rapid identification enables faster vulnerability response, reducing the window of exposure and helping you meet CRA requirements for timely security incident notification.
Understanding SBOM Formats: CycloneDX vs SPDX
The industry recognizes two primary SBOM formats: CycloneDX and SPDX.
CycloneDX is OWASP’s lightweight SBOM standard designed specifically for agile organizations and DevSecOps workflows, emphasizing security and supply chain risk identification over broader software asset management. It works with XML, JSON, and protocol buffer data formats, making it highly interoperable with modern development tools and CI/CD pipelines. CycloneDX prioritizes machine-readability and automation, with a data structure optimized for vulnerability scanning, dependency tracking, and security analysis rather than general-purpose software cataloging.
The format includes rich metadata about security properties, vulnerability data, licensing information, and component provenance.
For WordPress plugin developers primarily concerned with security compliance and vulnerability management, CycloneDX is often the better choice because it’s specifically designed for these use cases and integrates seamlessly with security-focused development workflows.
SPDX (Software Package Data Exchange) was created by the Linux Foundation and became the only internationally recognized SBOM standard in 2021 when it was adopted as ISO/IEC 5962:2021.
Large organizations often select SPDX when they need to manage both licenses and vulnerabilities across complex software portfolios, as the format excels at detailed license compliance tracking alongside security information. SPDX provides more comprehensive software metadata than CycloneDX, including detailed licensing information with SPDX license identifiers (standardized names for software licenses), file-level checksums and signatures for integrity verification, copyright information and attribution requirements, and package supplier information for supply chain tracking.
For WordPress plugin developers working with enterprise clients or selling to government agencies, providing SPDX-format SBOMs may be contractually required.
The CRA Compliance Suite supports both formats, allowing you to choose the standard that best fits your workflow or generate both for maximum compatibility.
Step 1: Prepare Your WordPress Plugin
Before generating your SBOM, ensure your plugin structure is properly organized.
Verify that your composer.json (for PHP dependencies) or package.json (for JavaScript dependencies) files are current and complete, including accurate version constraints for all dependencies. The difference between “^1.2.3” (allows updates to 1.x.x) and “~1.2.3” (allows updates to 1.2.x) matters for vulnerability tracking.
Include development dependencies separately from production dependencies.
Our tool scans both PHP (via Composer) and JavaScript (via npm/yarn) dependencies automatically, but maintaining accurate package manifests ensures complete and accurate SBOM generation. Document any bundled vendor libraries, custom frameworks, or forked components that might not appear in standard package managers—these manually-managed dependencies are often the source of untracked vulnerabilities and compliance gaps.
Create a vendor directory or custom components directory with README files explaining what each bundled component is, what version it represents, where it came from, and why it’s bundled rather than managed through a package manager.
Step 2: Run the Automated SBOM Generator
Using the CRA Compliance Suite SBOM generator is straightforward.
Point the tool at your plugin directory (either through the web interface, command-line tool, or API), and it automatically analyzes your codebase through multiple detection mechanisms. It scans file structures looking for common dependency patterns, parses package manifests (composer.json, composer.lock, package.json, package-lock.json, yarn.lock) to identify declared dependencies, performs static code analysis to detect undeclared dependencies and bundled libraries, analyzes vendor directories for manually-managed code, and identifies WordPress-specific dependencies like required WordPress core functions or included WordPress libraries.
The generator captures not just direct dependencies but also transitive dependencies.
A single top-level dependency might pull in dozens of transitive dependencies, and vulnerabilities in these nested dependencies are just as dangerous as vulnerabilities in your direct dependencies. Within minutes of starting the scan, you receive a complete, standards-compliant SBOM in your chosen format (CycloneDX, SPDX, or both), ready for regulatory submission, vulnerability analysis, or integration into your security workflow.
Step 3: Review and Validate Your SBOM
After generation, carefully review the SBOM for completeness and accuracy.
The tool provides a visual interface showing all detected components, their versions, licenses, and relationships in an easy-to-navigate dependency tree with interactive features for drilling down into nested dependencies. The tree view shows both depth (how many levels of dependencies exist) and breadth (how many dependencies each component has), helping you understand your plugin’s complexity and potential vulnerability surface area.
You can manually add any components the automated scanner might have missed.
Pay special attention to bundled third-party code that might not be managed through package managers—these are often overlooked but critical for compliance because they represent untracked security risks. Common examples include JavaScript libraries included as static files, PHP classes copied from other projects, WordPress plugins or themes bundled as dependencies, and code snippets from Stack Overflow or tutorials.
Review the license information for accuracy and completeness.
License compliance violations can be just as serious as security vulnerabilities under some regulations. The tool highlights potential issues like outdated components, known vulnerabilities, license incompatibilities, and missing metadata.
Step 4: Integrate SBOM Generation into Your CI/CD Pipeline
For ongoing compliance, integrate SBOM generation into your continuous integration and deployment pipeline.
The best place to generate SBOMs is within your CI/CD pipeline where your plugin’s build artifacts are created, ensuring every release has an accurate SBOM without manual intervention. The CRA Compliance Suite provides command-line tools, REST APIs, and pre-built integrations that automatically generate updated SBOMs whenever you build or release a new plugin version.
For GitHub Actions, add the SBOM generation step to your release workflow using our official action.
For GitLab CI, use our Docker container in your pipeline configuration. For Jenkins, install our Jenkins plugin that adds SBOM generation as a post-build step. Configure your pipeline to run SBOM generation as part of your standard build process, typically after dependency installation but before artifact packaging, ensuring the SBOM reflects the exact dependencies included in your release artifact.
Store generated SBOMs as build artifacts alongside your plugin ZIP file.
This automation ensures your SBOM always reflects the current state of your product, eliminates manual documentation overhead, and enables continuous compliance monitoring where security tools can automatically analyze every build for vulnerabilities.
Step 5: Enable Continuous SBOM Monitoring
CRA compliance requires keeping SBOMs current as dependencies change and new vulnerabilities are discovered.
Our suite monitors your dependencies in real-time and automatically alerts you when updates affect your SBOM, including when dependency versions change (new releases, security patches), when new vulnerabilities are discovered in existing dependencies (CVE disclosures), when licenses change (open-source projects sometimes relicense), and when components are deprecated or reach end-of-life.
Security findings are identified even for code you released months or years ago.
You’re notified within hours of a new vulnerability being disclosed. This is critical because the majority of security incidents involve vulnerabilities in dependencies rather than first-party code, and the time between vulnerability disclosure and active exploitation is often measured in hours or days.
You can regenerate updated SBOMs with a single click or API call.
Start Creating Compliant SBOMs Today
SBOM generation is no longer optional for WordPress developers targeting EU markets.
Visit CRA Compliance Suite to access our automated SBOM tools and ensure your plugins meet all CRA documentation requirements. Create your first SBOM in minutes and establish a foundation for complete compliance with both CycloneDX and SPDX formats supported out of the box.