Managing Software Bills of Materials (SBOMs)

Migrating from Sonatype to ProGet
Step-by-Step Guide & Best Practices

Managing Software Bills of Materials (SBOMs)

Software Bills of Materials (SBOMs) are increasingly used to support software supply chain visibility, vulnerability management, and compliance reporting.

Frameworks and regulatory initiatives such as National Institute of Standards and Technology Secure Software Development Framework (SSDF) and Executive Order 14028 have increased organizational requirements for maintaining accurate and up-to-date dependency inventories across applications and builds.

Both Sonatype and ProGet support SBOM management workflows, but they differ in how these capabilities are deployed and maintained.

This article covers:

SBOM Management in Sonatype vs ProGet

In Sonatype environments, SBOM management is handled through a separate SBOM Manager rather than directly within the repository platform. This introduces additional installation, configuration, and maintenance requirements for managing SBOM storage, analysis, and compliance workflows.

Because SBOM workflows operate separately from the repository itself, organizations may also need to coordinate updates between repositories, build systems, and SBOM tooling to maintain accurate dependency records and compliance data.

ProGet integrates SBOM management directly within the platform alongside package management, SCA, builds, and policy workflows.

This allows SBOMs, dependency metadata, vulnerabilities, licenses, and compliance information to remain centralized within the same system used to manage packages and builds.

When dependencies change, ProGet automatically updates associated SBOM information, helping maintain accurate vulnerability, license, and dependency visibility across projects and releases.

ProGet also enriches SBOMs with additional metadata, including:

  • dependency relationships
  • vulnerability information
  • license data
  • project and release associations
  • audit and compliance history

This centralized approach reduces manual coordination while helping organizations maintain current and audit-ready SBOM data.

Generating and Uploading SBOMs

ProGet supports SBOM generation and ingestion workflows using standards such as CycloneDX and tools such as pgutil.

To generate and upload SBOMs, pgutil can be configured to connect directly to a ProGet instance. The pgutil builds scan command scans components, resolves dependencies, and uploads SBOM data into the centralized platform.

pgutil builds scan --project-name="Web Data Tool" --version=1.2.3

his workflow captures both direct and transitive dependencies while enriching SBOM data with additional metadata such as vulnerabilities, licenses, and compliance information.

Uploaded SBOMs can also be evaluated against organizational policies to support governance and compliance workflows.

Once uploaded, ProGet can:

  • create or update projects and releases
  • associate dependencies and transitive packages with releases
  • store SBOM documents alongside release records
  • audit components for vulnerabilities and license compliance
  • retain historical compliance and audit results

Importing Existing SBOMs

Existing SBOMs generated by external build systems or other tooling can also be imported into ProGet.

SBOM uploads can be performed through the UI or API, after which ProGet enriches imported SBOMs with additional metadata and compliance analysis.

Imported SBOMs can then participate in the same centralized governance workflows used for internally generated SBOMs, including:

  • vulnerability analysis
  • license compliance evaluation
  • release traceability
  • audit reporting
  • dependency tracking

This allows organizations migrating from existing SBOM systems to consolidate dependency visibility and compliance workflows within ProGet.

Conclusion

ProGet integrates SBOM management directly into package management, SCA, builds, and governance workflows.

Using pgutil and integrated SBOM workflows, organizations can generate, upload, manage, and audit SBOMs within the same platform used to manage packages and dependencies.

By centralizing dependency metadata, vulnerabilities, licenses, and compliance information, ProGet helps organizations maintain current and audit-ready SBOMs across projects, releases, and builds.

To help preserve package data, SBOMs, builds, and compliance records over time, ProGet also includes integrated storage, backup, and recovery workflows, covered in the next article.