Quality Scoring
Not all SBOMs are created equal. A document that only lists package names and versions is far less useful than one that includes licence data, checksums, and provenance metadata. The quality score measures how complete and standards-compliant your SBOM actually is.
How scoring works
After generation, each SBOM is evaluated automatically. The quality score ranges from 0 to 10 and is accompanied by a letter grade (A through F). The score is computed across multiple dimensions:
Identification
Whether components are properly named, versioned, and uniquely identifiable through package URLs.
Provenance
Presence of authorship metadata, creation timestamps, and tool information that establish the SBOM's origin.
Integrity
Checksums and hash values that allow consumers to verify component authenticity.
Completeness
Coverage of key SBOM fields — how many components include all expected metadata rather than just a name and version.
Licensing
Quality of licence information across components, including valid SPDX identifiers and licence expressions.
Vulnerability metadata
Security-relevant annotations such as known vulnerability references and patch status.
Structural conformance
How well the document adheres to the CycloneDX specification, including required fields and valid enumerations.
Tracking over time
The score and grade are displayed in the dashboard alongside the component count, letting teams track SBOM quality over time and across repositories. A declining score can signal that new dependencies are being added without proper metadata, while a consistently high score demonstrates supply chain governance maturity.