Intelligent SBOM Ingestion and Breaking Change Analysis
Jonny Rivera
July 14, 2025

Frequently Asked Questions
What is intelligent SBOM ingestion and what problem does it solve?
Intelligent SBOM ingestion is the ability to upload an existing SBOM from any project, automatically parse its components and dependencies, scan them for vulnerabilities, and then convert them into an editable set of packages backed by the ActiveState component catalog. The problem it solves is the gap between knowing you have a vulnerable component and knowing what to do about it: most teams can generate an SBOM and run it through a scanner, but the next step — understanding the full impact of remediation, including what will break — still requires manual research.
How does breaking change analysis work and why does it matter before applying a patch?
When a vulnerability is addressed by upgrading a package to a newer version, that upgrade may change APIs, deprecate flags, alter behavior, or pull in new dependencies that conflict with existing ones. Breaking change analysis runs an automated impact assessment before the upgrade is committed: it reviews the changelog, identifies API changes and deprecated functions, maps which parts of the codebase are affected by the proposed upgrade, and provides a risk assessment with a suggested path forward. This converts what was previously a multi-hour manual research project into a near-instantaneous automated report — so teams can make an informed remediation decision in minutes rather than days.
What are the four steps of ActiveState's SBOM ingestion and remediation workflow?
The workflow runs in four steps. First, an SBOM is uploaded and parsed to provide a complete breakdown of all components and dependencies, which are immediately scanned for vulnerabilities. Second, the SBOM is converted into an editable set of packages pulled from the ActiveState component catalog, where newer versions can be selected to reduce the vulnerability count while automatically resolving all dependencies. Third, before any change is committed, an automated impact report shows exactly what will change in the dependency tree, including an AI-powered breaking change analysis with a risk assessment and suggested path forward. Fourth, once the team approves the changes, the updated packages are rebuilt from source for the required platform and deployment target.
.png)
.png)
.png)