Skip to main content

Open-source FDA/IEC-62304 compliance layer for medical device SBOMs

Project description

๐Ÿฅ MedSBOM

Open-source FDA/IEC-62304 compliance layer for medical device SBOMs

CI PyPI License Python 3.12+

Turn raw SBOM scans into FDA-submission-ready documentation in seconds, not weeks.

Quick Start โ€ข Examples โ€ข API Docs โ€ข Contributing โ€ข Sponsor


The Problem

Medical device manufacturers must (FDA 2023 guidance, PATCH Act, 2026 QMSR):

  • Maintain Software Bills of Materials for every device
  • Continuously monitor SOUP components for vulnerabilities
  • Document a Secure Product Development Framework
  • Produce audit-ready evidence of regular vulnerability review (IEC 62304 ยง7.1.3)

Today: Teams spend 40โ€“80 hours per device manually translating Syft/Grype/Trivy output into regulatory documents. Paid platforms charge $50Kโ€“$200K/year.

With MedSBOM: One command. Audit-ready docs in seconds. Free forever.

What MedSBOM Does

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  SBOM Input โ”‚ โ”€โ”€โ–ถ โ”‚  MedSBOM     โ”‚ โ”€โ”€โ–ถ โ”‚  FDA Premarket Summary    โ”‚
โ”‚ (SPDX/CDX)  โ”‚     โ”‚  Engine      โ”‚     โ”‚  SOUP Risk Assessment     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜     โ”‚              โ”‚     โ”‚  Vulnerability Review Log โ”‚
                    โ”‚  โ€ข CVE match โ”‚     โ”‚  Audit Trail              โ”‚
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     โ”‚  โ€ข KEV check โ”‚     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
โ”‚ NVD + KEV   โ”‚ โ”€โ”€โ–ถ โ”‚  โ€ข EOL check โ”‚
โ”‚ feeds       โ”‚     โ”‚  โ€ข Risk scoreโ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Quick Start

Install

pip install medsbom

Generate your SBOM (if you don't have one)

# Using Syft
syft dir:./my-firmware -o cyclonedx-json > my-device.sbom.json

# Using Trivy
trivy fs --format cyclonedx --output my-device.sbom.json ./my-project/

Run MedSBOM

# Check for vulnerabilities and EOL status
medsbom check my-device.sbom.json --device "Insulin Pump" --device-version "2.3.1"

# Generate FDA compliance documents
medsbom report my-device.sbom.json --format all --output ./compliance-docs/

That's it. You now have:

  • fda_premarket_summary.md โ€” Maps to FDA 2023 Cybersecurity Guidance structure
  • soup_risk_assessment.md โ€” IEC 62304 ยง7.1.3 SOUP register with risk levels
  • vulnerability_review_log.md โ€” Timestamped audit evidence

Features

Feature Description
SBOM Ingestion CycloneDX and SPDX JSON (from Syft, Trivy, or any scanner)
CVE Matching Cross-reference against NVD with local caching
CISA KEV Flag actively exploited vulnerabilities
EOL Detection Check end-of-life status via endoflife.date
Risk Scoring Composite score: CVSS + KEV + EOL proximity
FDA Docs Premarket Cybersecurity Summary template
IEC 62304 SOUP Risk Assessment table
Audit Trail Immutable, append-only log for regulatory evidence
REST API FastAPI server for integration and dashboards
Docker Single container, no external dependencies

CLI Commands

medsbom ingest <sbom-file>          # Parse and validate an SBOM
medsbom check <sbom-file>           # Vulnerability + EOL check
medsbom report <sbom-file>          # Generate compliance documents
medsbom audit                       # View audit trail
medsbom version                     # Show version

API

Start the API server:

uvicorn medsbom.api.main:app --host 0.0.0.0 --port 8000

Endpoints:

  • GET /health โ€” Health check
  • POST /api/v1/scans โ€” Upload SBOM and run analysis
  • GET /api/v1/scans/{id} โ€” Get scan results
  • GET /api/v1/scans/{id}/report/{format} โ€” Generate report (fda/soup/vuln)
  • GET /api/v1/audit โ€” Audit trail

Interactive docs at: http://localhost:8000/docs

Docker

# CLI mode
docker run --rm -v $(pwd):/data medsbom check /data/my-sbom.json

# API mode
docker compose -f docker/docker-compose.yml up

Configuration

Environment Variable Description Default
NVD_API_KEY NVD API key (recommended โ€” 10x faster) None
MEDSBOM_CACHE_DIR Local cache directory ~/.medsbom/cache
MEDSBOM_AUDIT_DB Audit database path ~/.medsbom/audit.db

Get a free NVD API key: https://nvd.nist.gov/developers/request-an-api-key

Important Disclaimer

โš ๏ธ REGULATORY NOTICE: MedSBOM generates DRAFT compliance documentation to assist with FDA/IEC-62304 workflows. This tool does NOT constitute legal or regulatory advice. All generated output must be reviewed and approved by a qualified regulatory professional before submission to any regulatory body. MedSBOM contributors accept no liability for regulatory decisions made based on this output.

Project Structure

medsbom/
โ”œโ”€โ”€ cli/               # Typer CLI
โ”œโ”€โ”€ core/
โ”‚   โ”œโ”€โ”€ ingest.py      # SBOM parsing (CycloneDX + SPDX)
โ”‚   โ”œโ”€โ”€ cve_match.py   # NVD + KEV vulnerability matching
โ”‚   โ”œโ”€โ”€ eol_check.py   # End-of-life checking
โ”‚   โ”œโ”€โ”€ risk_score.py  # Composite risk scoring
โ”‚   โ”œโ”€โ”€ doc_generator.py  # Jinja2 โ†’ Markdown/PDF
โ”‚   โ”œโ”€โ”€ audit.py       # Append-only audit trail
โ”‚   โ””โ”€โ”€ models.py      # Pydantic data models
โ”œโ”€โ”€ api/               # FastAPI REST API
โ”œโ”€โ”€ templates/         # Jinja2 regulatory doc templates
โ”œโ”€โ”€ tests/             # Comprehensive test suite
โ”œโ”€โ”€ examples/          # Sample SBOMs and usage guides
โ””โ”€โ”€ docker/            # Container deployment

Contributing

We welcome contributions! See CONTRIBUTING.md for guidelines.

Especially welcome:

  • Regulatory template improvements (FDA, IEC 62304, ISO 14971, EU MDR)
  • Additional SBOM format support
  • Integration with more scanners
  • Translations of templates

Sponsor

MedSBOM is free and open source. If it saves your team time and money, consider supporting development:

For enterprise support contracts or custom template development, open an issue or email the maintainers.

License

Apache License 2.0 โ€” see LICENSE.

Chosen specifically for medical device companies: permissive, includes patent grant, no copyleft concerns for proprietary firmware integration.


Built for the medical device community. Free forever.

If MedSBOM helps your team, star the repo and tell your colleagues.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

medsbom-0.1.0.tar.gz (57.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

medsbom-0.1.0-py3-none-any.whl (36.0 kB view details)

Uploaded Python 3

File details

Details for the file medsbom-0.1.0.tar.gz.

File metadata

  • Download URL: medsbom-0.1.0.tar.gz
  • Upload date:
  • Size: 57.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.0

File hashes

Hashes for medsbom-0.1.0.tar.gz
Algorithm Hash digest
SHA256 c2141c45ebae968a948f66d14b24464d9e57824c6ea5e39ddf97e50e23d912fe
MD5 e2151b1d04bd74f9ebf88d5324a4f8d6
BLAKE2b-256 0b5290f8ef4cb6daf1fd82092039fc539d04d20857f81ea469eaaccaee117e96

See more details on using hashes here.

File details

Details for the file medsbom-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: medsbom-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 36.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.0

File hashes

Hashes for medsbom-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1052271aacd17bf6c5f8915eaf21a3b34a5d64f21b6a486e07eaf5a310861e41
MD5 daa4ed930fc4dc536a987feac7066109
BLAKE2b-256 92cf20cfda70a3d8d83afbcdeb0178ece0fc485a5b834f702a5a1916295366e3

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page