Requests
SBOM requests enable organizations to collect SBOMs from third-party vendors and suppliers. Interlynk provides a workflow for sending requests, receiving uploaded SBOMs, validating them, and integrating them into your Product inventory — all without requiring the vendor to have an Interlynk account.
Overview
The SBOM request workflow addresses a common challenge: obtaining SBOMs from vendors and suppliers who may not use SBOM management tooling. Interlynk sends an email to the vendor contact with a secure upload link, validates the uploaded SBOM, and makes it available for review and acceptance into your Products.
Key capabilities:
No vendor account required — vendors receive an email with a secure upload link.
Automatic link renewal — upload links are valid for 24 hours but regenerate automatically if the vendor clicks an expired link.
SBOM validation — uploaded SBOMs are validated for format and completeness.
Acceptance workflow — review and accept vendor SBOMs into your Products and Environments.
Architecture
SBOM Request Workflow
1. Requester creates request
└── Email sent to vendor contact
└── Secure upload link (valid 24 hours)
2. Vendor uploads SBOM
└── Upload link → SBOM validation
└── Status changes to "Uploaded"
3. Requester reviews and accepts
└── Select target Product + Environment
└── SBOM ingested into platform
└── Standard processing pipeline appliesSending SBOM Requests
Via Dashboard
Navigate to the Requests page in the main navigation.
Click + (Request SBOM).
Enter the request details:
Vendor Email
Yes
Email address of the contact who will supply the SBOM
Product Name
No
Name of the vendor product for which the SBOM is requested
Version
No
Specific version of the vendor product
Click Save to send the request.
The vendor receives an email with a link to upload the SBOM. The vendor does not need an Interlynk account.
The upload link is valid for 24 hours. If the vendor clicks the link after it expires, a new link is automatically generated and sent to the same email address.
Request Statuses
Pending
Request has been sent; waiting for vendor to upload
Uploaded
Vendor has uploaded an SBOM; awaiting review and acceptance
Accepted
SBOM has been accepted and ingested into a Product
Expired
Request link has expired without an upload (auto-renews on click)
Accepting Vendor SBOMs
When a vendor uploads an SBOM, the request status changes to Uploaded. To accept and ingest the SBOM:
Navigate to the Requests page.
Locate the request with Uploaded status.
Click Accept.
Select the target Product and Environment to receive the SBOM.
Click Accept to complete.
The SBOM is ingested into the selected Product and Environment and goes through the standard processing pipeline (SBOM Checks, Automation Rules, Vulnerability Scan, Policy Evaluation).
Review the vendor SBOM before accepting. Once accepted, the SBOM is processed and integrated into your Product data. Ensure the content matches your expectations for the requested product and version.
Managing Requests
Viewing All Requests
Navigate to the Requests page.
The request list displays:
Vendor Email
Email address the request was sent to
Product
Requested product name (if specified)
Version
Requested version (if specified)
Status
Current request status
Date
When the request was created
Tracking Outstanding Requests
Filter the request list by Pending status to identify requests that have not yet been fulfilled. Follow up with vendors as needed.
Permission Matrix
View requests
✓
✓
✓
Edit requests
✓
✓
—
For full permission details, see Role Management.
Security Warnings
Vendor-supplied SBOMs should be reviewed before acceptance. A vendor may provide an incomplete, inaccurate, or outdated SBOM. Validate the content — check for complete component lists, proper identifiers, and correct version information — before accepting.
Upload links are sent via email. Ensure you are sending requests to verified vendor contacts. The upload link allows anyone with access to it to upload a file.
Common Misconfigurations
Vendor did not receive the email
Request stays in "Pending" status
Verify the email address is correct; check the vendor's spam folder
Upload link expired
Vendor reports link does not work
The link auto-renews when clicked; ask the vendor to click the expired link to receive a new one
Wrong Product/Environment selected on accept
SBOM appears in unexpected location
Delete the ingested SBOM and re-accept with the correct target
Vendor uploaded incorrect file
SBOM validation fails or content does not match
Contact the vendor and request a corrected SBOM upload
No requests page visible
User cannot access the Requests page
Verify the user has "View requests" permission
Recommended Best Practices
Include product name and version in requests. This gives vendors clear context on what SBOM to provide and reduces back-and-forth.
Follow up on pending requests within a reasonable timeframe. Some vendors may need guidance on SBOM generation.
Review vendor SBOMs before accepting. Validate that the SBOM contains meaningful component data, proper identifiers (PURL/CPE), and matches the requested product.
Accept into a dedicated Environment. Consider accepting vendor SBOMs into a "vendor" or "third-party" Environment for separate tracking and policy evaluation.
Run vulnerability scanning on accepted SBOMs. Ensure "Run Vulnerability Scan" is enabled in the target Environment Settings so vendor components are scanned for known vulnerabilities.
Establish a regular cadence for vendor SBOM collection. Request updated SBOMs from critical vendors on a quarterly or release-based schedule.
Track request fulfillment rates. Monitor which vendors consistently provide SBOMs and which require follow-up, to improve your vendor management process.
Last updated