On 20 August 2024, SEBI released its Cybersecurity and Cyber Resilience Framework (CSCRF) — and with it, a requirement that Indian financial institutions maintain visibility into every software component in their technology stack. For organisations running applications built on open-source software (which today means virtually every organisation), this means one thing: Software Bill of Materials (SBOM).
This guide explains exactly what SEBI and CERT-In require regarding software supply chain transparency, why manual SBOM creation is impossible at scale, and how Mend.io automates the entire process.
What is a Software Bill of Materials (SBOM)?
An SBOM is a formal, machine-readable inventory of all software components in an application — including open-source libraries, their versions, their licences, and their known vulnerabilities. Think of it as a nutrition label for your software: just as food manufacturers must disclose every ingredient, software providers must now disclose every component.
Key SBOM formats:
SPDX 2.3 — Linux Foundation standard, widely adopted in the US
CycloneDX 1.4+ — OWASP standard, preferred by SEBI CSCRF and CERT-In guidelines for its security-focused design
SEBI CSCRF Requirements — What You Need to Know
SEBI's CSCRF framework released in 2024 places financial entities (REs) under obligations that directly require SBOM capabilities:
- Software Supply Chain Risk Management: REs must maintain visibility into third-party software components used in critical financial applications
- Vulnerability Disclosure and Management: REs must track and remediate known vulnerabilities (CVEs) in all software components — not just internally developed code
- Incident Response Readiness: In the event of a supply chain incident (like Log4Shell or XZ Utils), REs must be able to identify affected systems within hours — not weeks
- Third-Party Risk Management: Software from vendors must be assessed for supply chain risks, requiring component-level visibility
CERT-In Directions: The Compliance Timeline
CERT-In's 2022 Directions (amended 2023) require organisations in critical sectors to maintain inventory of software assets and report incidents involving compromised software components. The 6-hour reporting window for major incidents makes manual SBOM management operationally impossible — you need automated, continuously updated SBOMs to respond in time.
How Mend.io Automates SBOM Generation and Management
Mend.io (formerly WhiteSource) integrates directly into your build system and CI/CD pipeline to automatically discover and track every open-source component in your applications. No manual inventory work. No spreadsheets. No gaps.
# Generated: 2025-03-01 | App: trading-platform-api v3.2.1
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"components": [
{ "name": "log4j-core", "version": "2.14.1",
"vulnerabilities": ["CVE-2021-44228"], // ← CRITICAL
"license": "Apache-2.0" },
{ "name": "spring-core", "version": "5.3.18",
"vulnerabilities": [], "license": "Apache-2.0" }
]
}
# Total: 847 components | 3 Critical CVEs | 12 High CVEs
Real-Time CVE Monitoring and Auto-Fix Pull Requests
An SBOM is only valuable if it's current. Mend.io continuously monitors all components in your SBOM against the latest CVE databases — including NVD, GitHub Advisory, and Mend's own proprietary research. When a new vulnerability is disclosed, every affected application in your portfolio is flagged instantly.
More importantly, Mend.io automatically generates pull requests to upgrade vulnerable dependencies to safe versions. The average time-to-remediation drops from 14+ days to under 4 hours for teams using Mend's automated fix capabilities.
Title: [Mend] Upgrade log4j-core from 2.14.1 to 2.17.1
- fixes: CVE-2021-44228 (CVSS 10.0 — CRITICAL)
- fixes: CVE-2021-45046 (CVSS 9.0 — CRITICAL)
- fixes: CVE-2021-45105 (CVSS 7.5 — HIGH)
# All existing unit tests: PASSING ✓
# Breaking changes: None detected ✓
# SBOM updated: log4j-core 2.17.1 — 0 known CVEs ✓
🔒 Try Mend.io Free for 14 Days
Full Mend.io platform access — SBOM generation, SCA scanning, auto-fix PRs, SEBI CSCRF compliance reporting. Expert onboarding from our security team.
Start My Free 14-Day Mend.io Trial →Licence Compliance: The Hidden Risk in Open Source
SBOM compliance isn't just about security vulnerabilities. Open-source licences carry legal obligations. GPL licences can require you to release your proprietary source code. AGPL can trigger copyleft obligations for SaaS applications. Mend.io's licence engine identifies 200+ licence types across all components and enforces your organisation's licence policy automatically — preventing legal exposure before it becomes a litigation risk.
Building Your SEBI CSCRF Evidence Package with Mend.io
When SEBI auditors come calling, you need evidence — not promises. Mend.io generates on-demand compliance reports that demonstrate your software supply chain governance posture, including: complete SBOM inventory with timestamps, CVE detection-to-remediation timelines, licence compliance status across all applications, and third-party risk assessment reports for vendor software.
Organisations that have implemented Mend.io as part of their SEBI CSCRF compliance programme report reducing their audit preparation time by over 70% — because the evidence is automatically collected and organised, not manually assembled at audit time.
The Log4Shell vulnerability proved that a single open-source component vulnerability can affect millions of applications simultaneously. SEBI and CERT-In have drawn the right conclusion: financial institutions must know every component in their software, monitor those components continuously, and remediate critical vulnerabilities in hours — not weeks. Mend.io makes that possible.