I’d like to bring a bit more attention to an issue that will very soon affect all of us developing and distributing software in the EU.
With the Cyber Resilience Act (CRA), every software vendor in the EU will be required to provide a Software Bill of Materials (SBOM) for their products. This is not optional, and it’s not a distant future topic — it’s something we need to be prepared for.
That’s why I created a Feature Request asking Xojo to provide an official SBOM for each release:
The core idea:
We, as developers, are responsible for our own application SBOMs — but without a clear and transparent SBOM from Xojo itself, we’re effectively missing a critical part of the supply chain.
The request includes:
SBOM per release version
Platform-specific breakdowns for Desktop, Mobile, Web (Client & Server)
OS-specific breakdowns for MacOS, Windows, Linux, iOS, Android
Clear scope (only Xojo components, not project dependencies)
Context on when components are actually included (e.g. only when using features like WebMapViewer)
Why this matters:
Right now, if you want to create a compliant SBOM, you either have to guess, reverse-engineer, or over-report dependencies — none of which is acceptable in a regulatory context.
This is not about adding “nice-to-have” features.
This is about basic transparency that will soon be legally expected from every software vendor operating in the EU and software developers developing for the own company.
If you think this is relevant (and realistically, it will be for most of us), I’d really appreciate your support and vote on the Feature Request.
The more visibility this gets, the higher the chance it will be prioritized.
Thanks for reading — and I’m curious to hear how others are currently dealing with this topic.
I would assume that you write your own SBOM and list Xojo with version as well as the plugins you use with the versions. And maybe for each plugin what part of it you use or why.
Noone wants access to github or your source code - all you have to do is to make a SBOM, and follow the guidelines if a security breach in your software happened…
Think supply chain attack. Xojo can have a security breach or use some infected code. They make an infected release and our software carries that infection. Our software could steal sensitive data. My old app has full disk access, AppleScript permissions and has access to IMAP passwords. The new app has also full disk access and permissions to read the contacts.
The goal of the SBOM is to allow anyone to know to which security issues (CVE for example) your software might be vulnerable, see for example this tool: dependency track (https://dependencytrack.org/).
You provide the SBOM, it lists the vulnerabilities. Then you analyze wether or not your software needs to take care of them.
I can give you one intesting exemple: in my company, we have a rust program for which there is a vulnerabilty if you are able to inject corrupted dates. As the program does not accept any date through stdin or a file, then there is no risk. But, if the customer does the analysis and complains that you have a vulnerability, you can explain why in fact this is not the case.
To sum up, with a SBOM and tools like dependency track, you can keep track of your vulnerabilities (and thus the customer can do the same). It is up to you to decide what to do with them.
You may also be very surprised to see how many different vulnerabilties you can stumble upon (as shown in my date example.) We would have never exepected you could do something with corruped dates!
The claim that an SBOM must generally be published under the Cyber Resilience Act is not accurate.
A closer look at the Cyber Resilience Act (EU) 2024/2847 shows a more nuanced position:
Recital 77 states that manufacturers should identify and document software components, including by drawing up a Software Bill of Materials (SBOM). It also explicitly clarifies that manufacturers should not be required to make the SBOM publicly available.
The SBOM is part of the technical documentation (see Article 10 in conjunction with Annex V) and is primarily intended for:
internal risk assessment
vulnerability management
demonstrating compliance to market surveillance authorities
Disclosure obligations toward third parties exist only:
upon request by competent authorities
in contractual contexts (for example B2B agreements)
or if specified by future implementing acts
A general obligation to publish the SBOM publicly, for example on a website, does not follow from the regulation.
In practice, this means:
Yes, an SBOM enables transparency regarding potential CVEs, both for manufacturers and customers. However, the CRA does not follow a full disclosure by default approach. It is based on a risk-oriented governance model.
In situations such as:
dependency on third-party stacks
delayed update cycles (for example quarterly releases)
unrestricted public disclosure may even introduce additional exposure without improving security in the short term.
In summary:
maintaining an SBOM is required
keeping it up to date and using it internally is required
providing it upon request is required
publishing it publicly is not generally required
The core responsibility under the CRA lies in continuous vulnerability management, not in mandatory public disclosure.
That’s correct. However, since we use Xojo to develop our solutions, we need the Xojo SBOM and the ability to extend it with our external dependencies to meet compliance requirements.
This isn’t an administrative requirement, and there’s a good reason why it’s required to independent developers as well.
A hacker could insert malicious code into a repository (you have no idea how often this happens) for a library you, or Xojo, use.
In that case, your solution would become a potential threat, even if you, or Xojo, were aware of it.
With the SBOM, you, or the company you work for, can easily uncover potential threats when the original library issue is made public.
I introduced the mandatory SBOM requirement a year before the CRA was released because I had already seen situations in action where the use of a library in good faith had become a major security issue.
You want to tell me, which tool I use? I think you didn’t get that this post is not about ai but the CRA and thus doesn’t belong to the ai section. And I use whatever tool is appropriate to fulfill my tasks easiest and fastest as long it’s not offending anyone, why shouldn’t I? Please tell me because I don’t understand your point.
In every question and answer community I participate in on reddit, using AI to write your post for you is considered plagiarism and gets you a ban. I don’t have to tell you which tool you’re using, I’m trained on spotting it in communities of 22 million subscribers. I ban people for it daily.
It’s disrespectful to us, who come here to participate with humans in discussion. If I wanted to read unverified AI slop, I’d go ask AI myself.
Update: gptzero.me confirms all of your posts are 100% AI generated. You don’t even get credit for reviewing and making human interjections anywhere.
You are. Myself, the people that have liked my posts asking you to stop, and the people too afraid to speak up. Note that this started as a peaceful request.
To clarify, I do. I let your first two slop posts slide because the point needed to be made that Xojo didn’t have a SBOM. I know this because I’ve been dealing with their lack of clarity for six years. I do think Xojo’s SBOM should be public because that way people who are looking to self host Web Apps that don’t have to spend years digging into undocumented dependencies.
Please appropriately tag all of your future AI conversations by placing it in the AI category.
But I think your reaction is very exaggerated. Starting with the claim that a text is IA-generated. That’s a serious accusation and an insult addressed to the person who posted it if they actually wrote it themselves.
It’s an insult to the person’s years of experience. It is an insult to the truth of what they’re posting.
It’s an insult to the time that person dedicates to publishing an opinion.
In my opinion, it’s more probable that the AI copied my observations, given my knowledge and experience.
It’s important to point out that the XOJO forum rules don’t explicitly prohibit AI-generated comments.
I don’t doubt your expertise in detecting that a text is AI-generated. But I seriously doubt your authority on the XOJO forum.