# Requests

SBOM requests enable organizations to collect SBOMs from third-party vendors and suppliers. Interlynk provides a workflow for sending requests, receiving uploaded SBOMs, validating them, and integrating them into your Product inventory — all without requiring the vendor to have an Interlynk account.

***

## Overview

The SBOM request workflow addresses a common challenge: obtaining SBOMs from vendors and suppliers who may not use SBOM management tooling. Interlynk sends an email to the vendor contact with a secure upload link, validates the uploaded SBOM, and makes it available for review and acceptance into your Products.

Key capabilities:

* **No vendor account required** — vendors receive an email with a secure upload link.
* **Automatic link renewal** — upload links are valid for 24 hours but regenerate automatically if the vendor clicks an expired link.
* **SBOM validation** — uploaded SBOMs are validated for format and completeness.
* **Acceptance workflow** — review and accept vendor SBOMs into your Products and Environments.

## Architecture

```
SBOM Request Workflow

1. Requester creates request
   └── Email sent to vendor contact
         └── Secure upload link (valid 24 hours)

2. Vendor uploads SBOM
   └── Upload link → SBOM validation
         └── Status changes to "Uploaded"

3. Requester reviews and accepts
   └── Select target Product + Environment
         └── SBOM ingested into platform
               └── Standard processing pipeline applies
```

***

## Sending SBOM Requests

### Via Dashboard

1. Navigate to the **Requests** page in the main navigation.
2. Click **+** (Request SBOM).
3. Enter the request details:

| Field            | Required | Description                                                |
| ---------------- | -------- | ---------------------------------------------------------- |
| **Vendor Email** | Yes      | Email address of the contact who will supply the SBOM      |
| **Product Name** | No       | Name of the vendor product for which the SBOM is requested |
| **Version**      | No       | Specific version of the vendor product                     |

4. Click **Save** to send the request.

The vendor receives an email with a link to upload the SBOM. The vendor does not need an Interlynk account.

{% hint style="info" %}
The upload link is valid for 24 hours. If the vendor clicks the link after it expires, a new link is automatically generated and sent to the same email address.
{% endhint %}

***

## Request Statuses

| Status       | Description                                                       |
| ------------ | ----------------------------------------------------------------- |
| **Pending**  | Request has been sent; waiting for vendor to upload               |
| **Uploaded** | Vendor has uploaded an SBOM; awaiting review and acceptance       |
| **Accepted** | SBOM has been accepted and ingested into a Product                |
| **Expired**  | Request link has expired without an upload (auto-renews on click) |

***

## Accepting Vendor SBOMs

When a vendor uploads an SBOM, the request status changes to **Uploaded**. To accept and ingest the SBOM:

1. Navigate to the **Requests** page.
2. Locate the request with **Uploaded** status.
3. Click **Accept**.
4. Select the target **Product** and **Environment** to receive the SBOM.
5. Click **Accept** to complete.

The SBOM is ingested into the selected Product and Environment and goes through the standard processing pipeline (SBOM Checks, Automation Rules, Vulnerability Scan, Policy Evaluation).

{% hint style="warning" %}
Review the vendor SBOM before accepting. Once accepted, the SBOM is processed and integrated into your Product data. Ensure the content matches your expectations for the requested product and version.
{% endhint %}

***

## Managing Requests

### Viewing All Requests

1. Navigate to the **Requests** page.
2. The request list displays:

| Column           | Description                           |
| ---------------- | ------------------------------------- |
| **Vendor Email** | Email address the request was sent to |
| **Product**      | Requested product name (if specified) |
| **Version**      | Requested version (if specified)      |
| **Status**       | Current request status                |
| **Date**         | When the request was created          |

### Tracking Outstanding Requests

Filter the request list by **Pending** status to identify requests that have not yet been fulfilled. Follow up with vendors as needed.

***

## Permission Matrix

| Permission    | Admin | Operator | Viewer |
| ------------- | :---: | :------: | :----: |
| View requests |   ✓   |     ✓    |    ✓   |
| Edit requests |   ✓   |     ✓    |    —   |

For full permission details, see [Role Management](https://docs.interlynk.io/administration/role-management).

***

## Security Warnings

{% hint style="warning" %}
**Vendor-supplied SBOMs should be reviewed before acceptance.** A vendor may provide an incomplete, inaccurate, or outdated SBOM. Validate the content — check for complete component lists, proper identifiers, and correct version information — before accepting.
{% endhint %}

{% hint style="warning" %}
**Upload links are sent via email.** Ensure you are sending requests to verified vendor contacts. The upload link allows anyone with access to it to upload a file.
{% endhint %}

***

## Common Misconfigurations

| Issue                                        | Symptom                                         | Fix                                                                                              |
| -------------------------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------------------ |
| Vendor did not receive the email             | Request stays in "Pending" status               | Verify the email address is correct; check the vendor's spam folder                              |
| Upload link expired                          | Vendor reports link does not work               | The link auto-renews when clicked; ask the vendor to click the expired link to receive a new one |
| Wrong Product/Environment selected on accept | SBOM appears in unexpected location             | Delete the ingested SBOM and re-accept with the correct target                                   |
| Vendor uploaded incorrect file               | SBOM validation fails or content does not match | Contact the vendor and request a corrected SBOM upload                                           |
| No requests page visible                     | User cannot access the Requests page            | Verify the user has "View requests" permission                                                   |

***

## Recommended Best Practices

* **Include product name and version in requests.** This gives vendors clear context on what SBOM to provide and reduces back-and-forth.
* **Follow up on pending requests** within a reasonable timeframe. Some vendors may need guidance on SBOM generation.
* **Review vendor SBOMs before accepting.** Validate that the SBOM contains meaningful component data, proper identifiers (PURL/CPE), and matches the requested product.
* **Accept into a dedicated Environment.** Consider accepting vendor SBOMs into a "vendor" or "third-party" Environment for separate tracking and policy evaluation.
* **Run vulnerability scanning on accepted SBOMs.** Ensure "Run Vulnerability Scan" is enabled in the target Environment Settings so vendor components are scanned for known vulnerabilities.
* **Establish a regular cadence for vendor SBOM collection.** Request updated SBOMs from critical vendors on a quarterly or release-based schedule.
* **Track request fulfillment rates.** Monitor which vendors consistently provide SBOMs and which require follow-up, to improve your vendor management process.