Skip to content
| Marketplace
Sign in
Visual Studio Code>Visualization>SBOM LensNew to Visual Studio Code? Get it now.
SBOM Lens

SBOM Lens

EverBright-IT-GmbH

|
2 installs
| (0) | Free
View SPDX SBOMs, including cascading document hierarchies, right in your editor.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

SBOM Lens for VS Code

Open VSX Version

View SPDX SBOMs, including cascading document hierarchies, right in your editor. The full SBOM Lens viewer as a custom editor: Explore tree, document map, inventory, version conflicts, release diff, and quality reports.

The Explore view: a release cascade as one tree, detail pane with relationships, document map

Opening documents

  • Open with SBOM Lens: right-click a .spdx, .spdx.json, or .spdx.yaml file in the explorer (or use Reopen editor with...). Multi-select several files and they open together in one panel, with cross-document references resolved between them.
  • Open folder with SBOM Lens: right-click a folder, and every SPDX document under it loads into one panel.
  • SBOM Lens: Scan workspace for SBOMs: the command-palette way to load the whole workspace (files over 50 MB are skipped).
  • From URL: fetches run in the extension host, so browser CORS limits don't apply. Access tokens are kept in VS Code's secret storage.

What you get

  • Cascades as one tree. ExternalDocumentRef links resolve across everything you load, by checksum first and then namespace, and render as one continuous tree: release, component, sub-SBOM, package. Unresolved references become actionable placeholders.
  • Analysis views. A sortable cross-cascade inventory (CSV/JSON export via the native save dialog), version-conflict detection, release-to-release diffs, and an NTIA quality report per document.
  • Your own compliance rules. Drop a .sbomlens/profile.json into the workspace and every panel picks it up as a quality profile: thresholds, field patterns, coverage gates. Reports export as Markdown.
  • VEX overlay. Open an OpenVEX document next to your SBOMs and see what the supplier communicates about known vulnerabilities: per-package statements with status and justification, a VEX column and status filter in the inventory, findings in the exports. Matched by package URL, newest statement wins. A communication channel, not a scanner.
  • Private by design. Documents are parsed locally inside the editor. Nothing is uploaded anywhere.
  • Field info tooltips carry the SPDX 2.3 spec docs and link into the exact section of the specification; the theme follows your editor.

Working with Open Component Model deliveries (component descriptors, CTF / component archives)? That is OCM Lens, the sibling extension built from the same codebase. SBOM Lens stays a focused SPDX viewer.

Limits

  • SPDX 2.x (tag-value / JSON / YAML) in full; SPDX 3.0.x as JSON-LD with the core/software profiles mapped. CycloneDX is recognized with a conversion hint.
  • The workspace scan skips files over 50 MB (open those by hand). A single large SPDX document has no hard cap; parsing runs off the UI thread.
  • Compliance profiles are capped at 64 KB / 200 checks; up to 16 persist.
  • No license-compliance judgement and no vulnerability overlays: license and quality fields are shown, not interpreted.
  • Documents are parsed locally and never uploaded; only preferences and imported profiles persist.

Install

  • Open VSX (VSCodium, Cursor, Gitpod, Theia): everbright-it.sbomlens, or search "SBOM Lens".
  • VS Code Marketplace: listing in progress. Until then, download sbomlens.vsix from a release pipeline and use Extensions, Install from VSIX....

Links

  • Source & issues (GitLab, canonical), or the GitHub mirror
  • Changelog
  • Use it without VS Code: https://sbom-lens.everbright-it.de/app/
  • Building, testing, publishing this extension: DEVELOPMENT.md

Apache-2.0 © EverBright IT GmbH

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft