Frequently asked questions.

EndoScan is an SBOM risk intelligence platform. Upload CycloneDX or SPDX inventories and EndoScan enriches them with vulnerability data from OSV.dev and lifecycle data from endoflife.date. Components that cross configured thresholds trigger alerts routed to the owner of the affected application.

Software teams, security engineers, and anyone responsible for tracking the health of a portfolio of applications. Particularly useful if your build pipeline already generates SBOMs and you need a structured way to act on what's inside them.

Go to /register, fill in your name, email, and a password of at least 10 characters. A verification email is sent immediately — click the link before signing in for the first time.

Yes. Verification is required before you can use the platform. This ensures alerts and notifications reach a valid address and prevents account misuse.

An application is the unit of tracking. It represents a software project, service, or product you want to monitor. Each application has an owner, a slug used in URLs, and holds its own upload history, scan results, inventory, alerts, and share links.

CycloneDX JSON and SPDX JSON. Both are detected automatically on upload — you do not need to specify the format. Downloads are available in the same two formats, generated on the fly from stored component data.

The previous upload is automatically archived and the new one becomes current. Components are extracted, normalized by PURL, and sent to the background enrichment pipeline. You can track progress in real time from the application page and you'll receive a notification when the scan completes.

Yes. From the inventory page, select any two uploads and EndoScan shows a side-by-side diff: added, removed, changed, and unchanged components.

Uploads are deduplicated by SHA-256 checksum. A byte-for-byte identical file is rejected. A reprocessed or regenerated SBOM with any content change is accepted as a new upload.

Raw SBOM files are retained on disk for 90 days by default (configurable). The database record — including the full scan result and inventory — is kept permanently. Only the original file is removed after the retention window.

OSV.dev — an open, ecosystem-aware vulnerability database maintained by Google. It covers hundreds of package ecosystems including npm, PyPI, Maven, Go, Cargo, and more.

endoflife.date — a community-maintained dataset of release cycles, support windows, and end-of-life dates for components, runtimes, and operating systems.

Vulnerability data is cached with a 7-day TTL. Lifecycle data is cached with a 30-day TTL. When the cache expires, the next scan for that component fetches fresh data from the provider. Components shared across applications reuse the same cache.

When a vulnerability has a known fix, EndoScan shows the earliest version that resolves it. This data is extracted from the affected version ranges published in OSV advisories. If no fix has been released yet, the vulnerability is marked "No fix available".

Yes. From the inventory page, expand a component's vulnerability list and click Suppress on any CVE. Choose a reason — false positive, mitigated, or risk accepted — and optionally set an expiry date. Suppressed vulnerabilities remain visible but are dimmed and excluded from risk calculations. You can unsuppress at any time.

A composite score from 0 (no risk) to 100 (critical risk) shown on the dashboard for each application. It is calculated from weighted factors: critical and high vulnerabilities, medium-severity issues, end-of-life components, and how recently the application was scanned. Each factor is capped so no single category can dominate the score.

A Package URL (PURL) is a standardised identifier for a software package — for example pkg:npm/lodash@4.17.21. EndoScan uses PURLs as the primary component identity, which enables consistent vulnerability and lifecycle matching across ecosystems.

EndoScan maps scan data to controls from ISO 27001 (Annex A), SOC 2 (Trust Services Criteria), and PCI-DSS v4.0. Each control shows a pass/fail/review status based on live evidence from your most recent scan. The compliance report is available from the inventory or application page.

License expressions are extracted automatically from uploaded SBOMs (both CycloneDX and SPDX formats). You can define a license policy per application — marking each license as allowed, disallowed, or requiring review. Disallowed licenses are flagged red in the inventory and included in compliance reports.

EndoScan tracks how quickly critical and high-severity vulnerabilities are remediated. The default targets are 30 days for critical and 90 days for high. The compliance report shows the percentage of vulnerabilities resolved within these windows and lists any that are overdue.

Yes. The inventory can be exported as a CSV file with component, version, ecosystem, license, lifecycle, and vulnerability columns. The compliance report has a print-friendly layout for PDF generation via your browser's print function.

Yes. Any version (current or archived) can be downloaded as CycloneDX 1.5 JSON or SPDX 2.3 JSON from the inventory page. The file is generated on the fly from stored component data, including PURL, vendor, supplier, and hash metadata.

From the application page, create a one-time share link that lets anyone download the current SBOM without an EndoScan account. Each link can be configured with a format, expiry date, maximum number of downloads, and an optional password.

Yes. Every download via a share link is logged with the IP address, user agent, and timestamp. The download log is visible to the application owner from the share links page.

Yes. Any active share link can be revoked immediately from the share links management page. Revoked links return an "unavailable" page to anyone who tries to use them.

Share links are limited to inhouse applications. Third-party SBOMs are provided by an external vendor and may be subject to licensing, confidentiality, or contractual restrictions that prohibit redistribution. EndoScan prevents accidental exposure by disabling share link creation for applications marked as 3rd Party.

Two types: EOL alerts that trigger when a component's end-of-life date is within a configurable window (30, 60, or 90 days), and new CVE alerts that trigger when a vulnerability at or above a chosen severity is found.

Alerts generate in-app notifications visible in the notification centre. If a mailer is configured, email delivery is also available as a channel. Scan completions and failures are always delivered as in-app notifications to the application owner.

Yes. Each alert rule has an enable/disable toggle. Disabled alerts stay configured but are skipped during evaluation. You can also delete an alert rule entirely if it is no longer needed.

Password-based login with optional TOTP (any authenticator app, with backup codes) and passkeys (WebAuthn) for passwordless sign-in using a device biometric or security key. Both can be managed under Settings.

Passwords are hashed with Argon2id and never stored in plain text. The raw password is discarded immediately after hashing and is never written to disk or logs.

Yes, from Settings. Changing your email resets your verification status — you will need to verify the new address before alert emails are delivered to it.

Account deletion is handled by an administrator. Contact us to request removal. All personal data will be deleted in accordance with the Privacy Policy.