# SBOM Risk Scorer > CISA CPG 6.1 Supply Chain SBOM Review: analyze CycloneDX or SPDX SBOMs for Vulnerability Debt and gatekeeping evidence. Summarizes vulnerability debt and flags EOL and critical-CVE components for Accept/Reject decisions. Tags: CISA CPG, SBOM, Supply Chain, Critical Infrastructure, Vulnerability Management ## Example Prompts - Draft our Accept/Reject criteria for new software using our CycloneDX SBOM - Summarize vulnerability debt from sbom.json for CPG 6.1 evidence - Flag EOL and critical CVE components in our SBOM for the supply chain gate - Document the SBOM review procedure for our water utility (CPG 6.1) URL: https://rakenne.app/skills/sbom-risk-scorer/index.md Try this skill: https://rakenne.app/a/?skill=sbom-risk-scorer ## Overview CISA CPG 6.1 Supply Chain SBOM Review: analyze CycloneDX or SPDX SBOMs for Vulnerability Debt and gatekeeping evidence. Two extension tools—**sbom_vulnerability_debt_summary** and **critical_component_checker**—produce a Vulnerability Debt summary and flag components with End-of-Life (EOL) status or critical CVEs so you can document Accept/Reject criteria and evidence for the gate. ## Example Conversation > **You:** We need to document our Accept/Reject gate for new software per CISA CPG 6.1. We have a CycloneDX SBOM in the repo—summarize the vulnerability debt and flag any EOL or critical CVE components. > **Agent:** I'll run **sbom_vulnerability_debt_summary** on the SBOM to produce the Vulnerability Debt summary, then **critical_component_checker** to list EOL and critical-CVE components. I'll use that to draft the Accept/Reject criteria and evidence for your procedure. > **Agent:** Summary: [debt summary]. Critical component check: [EOL/critical CVE list]. I've added a short procedure section that states: Reject if any component is EOL in a critical path or has an unmitigated critical CVE; Accept only after remediation or documented risk acceptance. Attach these reports as evidence. ## Output Excerpt Excerpt from a Vulnerability Debt summary and **critical_component_checker** report produced by the skill. **sbom_vulnerability_debt_summary (excerpt):** ``` === SBOM Vulnerability Debt Summary === SBOM: sbom.json (CycloneDX 1.5) Components: 142 Vulnerabilities (embedded): 8 total — Critical: 1, High: 2, Medium: 3, Low: 2 Narrative: One critical CVE in log4j-core; two high in httpclient and jackson-databind. Recommend remediation or risk acceptance before Accept. EOL status should be checked with critical_component_checker. ``` **critical_component_checker report (excerpt):** ``` === Critical Component Check === EOL components: lib-openssl-1.1.1 (lifecycle: end-of-life) Critical CVE components: org.apache.logging.log4j:log4j-core:2.14.1 (CVE-2021-44228) Action: Reject until remediated or risk-accepted. Document in procedure and attach this report for CPG 6.1 evidence. ``` ## Extension Tools - **sbom_vulnerability_debt_summary** — Reads a CycloneDX or SPDX JSON SBOM and outputs component count plus, when the BOM has embedded vulnerability data (CycloneDX), counts by severity and a short narrative. Use for CPG 6.1 evidence and Accept/Reject criteria. - **critical_component_checker** — Flags components with End-of-Life (EOL) status (from CycloneDX component lifecycle) or critical CVEs (from embedded BOM vulnerabilities). Use to populate the Reject list and to document which components must be remediated or risk-accepted before Accept. ## Getting Started Add your SBOM file (CycloneDX or SPDX JSON) to the project workspace and activate the *SBOM Risk Scorer* skill. Run the two tools on the SBOM, then use the outputs to document your Supply Chain SBOM Review procedure and Accept/Reject criteria for CPG 6.1. --- Back to [Skill Library](https://rakenne.app/skills/index.md)