SBOMs for CRA Compliance in DevExpress-Based Apps — Preview Now Open
If you ship apps to customers in the EU, the Cyber Resilience Act (CRA) will require a Software Bill of Materials (SBOM) as part of your conformity documentation. SBOM generation and CRA compliance are top priorities for DevExpress, and CycloneDX SBOM files for our .NET NuGet packages are now available as a preview. We are looking for feedback to help us refine our solution before a broader release.
Why This Matters
Regulatory expectations around software supply chain transparency have moved from emerging practice to a baseline requirement over the past four years:
- 2021 — SBOM became a key requirement of the US Executive Order 14028 on Improving the Nation's Cybersecurity.
- 2022 — Microsoft open-sourced its SBOM generation tool, signaling SBOM as a standard part of the build pipeline.
- 2024 — Germany's BSI TR-03183 Part 2 made SBOM delivery mandatory for products in scope. The EU Cyber Resilience Act (CRA) adopted the same requirement and entered into force on December 10, 2024, with a three-year transition period. Manufacturers selling digital products in the EU must produce and maintain SBOMs for conformity assessment.
- 2026 — CRA vulnerability reporting obligations apply from September 11, 2026, ahead of full applicability on December 11, 2027.
Under the CRA, SBOM obligation falls on the manufacturer of the finished product. You can run an SBOM generation tool against your project and assemble most of what you need. But tools that read package manifests cannot reliably see bundled NPM assets, statically-linked code, or license attribution for third-party components embedded at build time. A vendor-signed SBOM can fill these gaps and serve as stronger evidence when compared to tool-derived data. Our goal is to provide SBOMs that fit cleanly into workflows you already use.
What's Available Today (Preview)
DevExpress publishes digitally-signed CycloneDX 1.6 SBOM files for our .NET NuGet packages. Each SBOM is updated with every build. These files use our production format and signing pipeline — "preview" status reflects ongoing metadata alignment with NTIA Minimum Elements and BSI TR-03183, not file quality.
Each SBOM:
- Lists first-party and third-party dependencies, including transitive dependencies.
- Includes a dependency graph for the package it describes.
- Lists corresponding NPM packages and their transitive dependencies when DevExpress .NET packages bundle client-side NPM assets.
- Marks NPM devDependencies (used during development but not shipped) with
"scope": "excluded"for transparency.
These files can be consumed by standard SBOM analysis tools — including Dependency-Track, Trivy, and Grype.
Current Scope
This first release covers DevExpress .NET product packages (Blazor, WinForms, WPF, ASP.NET Core, Web Forms, MVC, and shared component libraries) published on NuGet.org for our current shipping version (v25.2.6). It does not yet cover VCL or DevExtreme product libraries, installers, demos, packages from our private NuGet feed, standalone assembly-level SBOMs, or earlier package versions. We are starting with this narrow scope so we can refine output based on customer requirements before broadening coverage.
Your Feedback Matters
Our SBOM preview is now open to additional participants — particularly developers working on compliance, supply chain security, or vulnerability management for applications built with DevExpress components.
If you are willing to test our SBOM files in your existing tooling and share what works (and what does not), please complete the survey below. After you submit, our team contacts you with download access and next steps. Survey participants also get a direct line to the product team. If you would prefer to discuss specifics outside the survey, you can also open a private support ticket.
