Generate CSAF Documents with BOMnipotent v1.6
The latest BOMnipotent release introducs a minimal format for CSAF generation.
Writing valid CSAF Documents is difficult. A standard that aims to satisfy such a plethora of use cases necessarily becomes very complex. Which fields are required? Under which conditions? How do I construct my product tree? Which identifiers did I use there? At which places do I have to insert the current date?
There are tools like Secvisogram to support the creation of CSAF documents. But, to quote Thomas Schmidt at the CSAF Community Days 2025, “Secvisogram was never intended to be user friendly.” Well, BOMnipotent is.
Beginning with version 1.6, BOMnipotent offers a minimal, programmatic input format to generate CSAF documents. You create a short TOML file where you specify which vulnerability you investigated and inhowfar your products are affected. BOMnipotent does the rest, constructing the product tree from the BOMs on your server, and filling in the blanks.
You can find detailed instructions on the format in the documentation .
