SBOM Coverage Calculator
GeneralEnter your component counts to get a weighted SBOM coverage score in seconds. Built for security engineers, compliance teams, and DevSecOps pipelines.
Last updated: April 2026
This calculator is designed for real-world usage based on typical engineering scenarios and publicly available documentation.
The SBOM coverage calculator measures how complete your software bill of materials is across three dimensions: component documentation, metadata quality, and vulnerability assessment coverage. Security teams use it to quantify SBOM gaps before an audit, compliance review, or customer due diligence request. A high component coverage score means you have captured most of your supply chain, but it does not tell the full story. Entries without license, version, and hash data are functionally useless during an incident — that is why metadata completeness is weighted into the score. VEX (Vulnerability Exploitability eXchange) coverage shows what fraction of your SBOM entries have an explicit vulnerability status, a requirement under CRA, NTIA, and NIST SSDF frameworks. The weighted score (60% component coverage, 25% metadata completeness, 15% VEX coverage) reflects industry prioritisation: getting components into the SBOM is the hardest step and drives the most value. Use the breakdown to identify your biggest gap and target tooling investment accordingly. Most organisations start below 60% on their first SBOM audit. Scores above 80% are considered strong for complex polyglot codebases. Perfect 100% coverage is rare but achievable with automated SBOM generation integrated into CI/CD.
How to Calculate SBOM Coverage Score
1. Count your total known components — all direct and transitive dependencies across all repos and container images in scope. 2. Count how many of those components appear in your SBOM. This is your component coverage numerator. 3. Of the documented components, count those with complete metadata: a known license, pinned version, and cryptographic hash. 4. Of the documented components, count those with a VEX statement — either known-not-affected, fixed, or under-investigation status. 5. The calculator applies the weighted formula: Coverage (60%) + Metadata (25%) + VEX (15%) to produce your overall SBOM score.
Formula
Component Coverage = (SBOM Documented ÷ Total Components) × 100
Metadata Completeness = (Complete Metadata ÷ SBOM Documented) × 100
VEX Coverage = (VEX Assessed ÷ SBOM Documented) × 100
SBOM Score = (Component Coverage × 0.60)
+ (Metadata Completeness × 0.25)
+ (VEX Coverage × 0.15)
SBOM Documented — components captured in your SBOM out of all known components
Complete Metadata — SBOM entries with license, pinned version, and cryptographic hash
VEX Assessed — SBOM entries with an explicit vulnerability exploitability statement
SBOM Score — weighted quality score from 0–100 Example SBOM Coverage Calculations
Example 1 — Mid-size SaaS product, first SBOM audit
Total components: 200 SBOM documented: 160 Complete metadata: 120 VEX assessed: 80
Component Coverage = 160 ÷ 200 × 100 = 80.0%
Metadata Completeness = 120 ÷ 160 × 100 = 75.0%
VEX Coverage = 80 ÷ 160 × 100 = 50.0%
SBOM Score = (80.0 × 0.60) + (75.0 × 0.25) + (50.0 × 0.15)
= 48.0 + 18.75 + 7.5 = 74.3% Example 2 — Mature DevSecOps pipeline with automated SBOM generation
Total components: 500 SBOM documented: 490 Complete metadata: 460 VEX assessed: 420
Component Coverage = 490 ÷ 500 × 100 = 98.0%
Metadata Completeness = 460 ÷ 490 × 100 = 93.9%
VEX Coverage = 420 ÷ 490 × 100 = 85.7%
SBOM Score = (98.0 × 0.60) + (93.9 × 0.25) + (85.7 × 0.15)
= 58.8 + 23.5 + 12.9 = 95.1% Example 3 — Legacy monolith, partial inventory
Total components: 350 SBOM documented: 175 Complete metadata: 105 VEX assessed: 35
Component Coverage = 175 ÷ 350 × 100 = 50.0%
Metadata Completeness = 105 ÷ 175 × 100 = 60.0%
VEX Coverage = 35 ÷ 175 × 100 = 20.0%
SBOM Score = (50.0 × 0.60) + (60.0 × 0.25) + (20.0 × 0.15)
= 30.0 + 15.0 + 3.0 = 48.0%
Action: prioritise automated dependency scanning to close the 50% component gap first. Tips to Improve Your SBOM Coverage Score
- › Automate SBOM generation in CI/CD with tools like Syft, Trivy, or CycloneDX generators — manual inventories degrade within weeks as dependencies update.
- › Use package manager lock files (package-lock.json, Cargo.lock, Gemfile.lock) as the authoritative source; they capture exact versions and transitive deps automatically.
- › Prioritise metadata completeness for direct dependencies first — they account for the most risk and are easiest to audit. Transitive deps can follow in a second pass.
- › Automate VEX generation with tools like OpenVEX or Grype to attach exploitability statements at build time, not post-deployment.
- › Run SBOM diff on every PR to catch new dependencies before they land in main — early detection keeps coverage high without manual triage.
- › Target 80%+ component coverage before investing heavily in VEX tooling — component coverage is the highest-weight factor and prerequisite for meaningful vulnerability tracking.
Notes
- › Results are estimates and may vary based on actual usage.
- › Always validate against your production environment.