Question 1

What is a software bill of materials (SBOM) in Alvor?

Accepted Answer

Every asset in Alvor carries a software bill of materials: the libraries and packages it ships, recorded by name, exact version, and ecosystem. Open an asset's Software tab and you see each component, its version, the scope it runs in (prod, dev, or test), where it was discovered, and whether it is end-of-life. Because the SBOM lives on the asset record, it sits alongside that asset's vulnerabilities, dependencies, continuity plan, and data governance rather than in a separate scanner export.

Question 2

What is the difference between software components and technical components?

Accepted Answer

Software components are the libraries and packages an asset ships (the SBOM): log4j-core, openssl, express, and so on, each with a version and ecosystem. Technical components are the infrastructure an application runs on: databases, caches, queues, gateways, load balancers, storage, and compute. Alvor models them separately because they answer different questions. The SBOM answers what am I built from; technical components answer what do I depend on to run. Technical components appear on application-type assets (services, web applications, SaaS applications).

Question 3

Which package ecosystems does Alvor track?

Accepted Answer

Software components can be recorded across npm, Maven, PyPI, Go, NuGet, OS packages, and a generic ecosystem for anything else. Each entry can also carry a package URL (purl) and a CPE identifier, so components line up with the conventions vulnerability feeds and SCA tools already use.

Question 4

Can Alvor flag end-of-life (EOL) components?

Accepted Answer

Yes. Each software component carries an end-of-life date and an EOL flag, surfaced as a badge in the asset's Software tab. Unsupported, no-longer-patched software becomes visible as a property of the asset, before it turns into an unpatched-for-good incident.

Question 5

How does Alvor help when a vulnerability like Log4Shell breaks?

Accepted Answer

Because every asset's components are recorded by name and version, the question becomes a lookup rather than a fire drill: which assets ship log4j-core at the affected version, in which scope, and how critical are they. The component inventory turns blast-radius analysis for a new CVE into something you read off a screen instead of estimating in a meeting.

Question 6

What infrastructure components can I record on an application?

Accepted Answer

On application assets you can map the technical components the app runs on: databases, caches, queues, API gateways, load balancers, storage, compute, and security services. Each carries a technology and version, an endpoint and port, an environment (production, staging, or development), a status, a criticality, an owner, and the role and connection type that describe how the application uses it.

Question 7

Is component tracking included in every Alvor plan?

Accepted Answer

Yes. Components are part of the Asset Management module, which ships with every Alvor plan from Starter ($8,000/year) through Enterprise. No separate SBOM tool to procure, no tier-gating, no add-on SKU.

A bill of materials for every asset.

An inventory says what you have. A bill of materials says what you are exposed to.

Open an asset. See what it is made of.

Know what every system is built from.

A software bill of materials per asset

Version and scope on every entry

End-of-life awareness

Technical components for applications

Impact analysis for the next CVE

Live on the asset, not in a scanner export

A parts list the rest of the platform reads from.

Asset Management

Risk Management

Dependency Mapping

On components
and SBOM.

See how Alvor works for your role

A bill of materials for every asset.

An inventory says what you have. A bill of materials says what you are exposed to.

Open an asset. See what it is made of.

Know what every system is built from.

A software bill of materials per asset

Version and scope on every entry

End-of-life awareness

Technical components for applications

Impact analysis for the next CVE

Live on the asset, not in a scanner export

A parts list the rest of the platform reads from.

Asset Management

Risk Management

Dependency Mapping

On components
and SBOM.

See how Alvor works for your role

A bill of materials for every asset.

An inventory says what you have. A bill of materials says what you are exposed to.

Open an asset. See what it is made of.

Know what every system is built from.

A software bill of materials per asset

Version and scope on every entry

End-of-life awareness

Technical components for applications

Impact analysis for the next CVE

Live on the asset, not in a scanner export

A parts list the rest of the platform reads from.

Asset Management

Risk Management

Dependency Mapping

On componentsand SBOM.

See how Alvor works for your role

A bill of materials for every asset.

An inventory says what you have. A bill of materials says what you are exposed to.

Open an asset. See what it is made of.

Know what every system is built from.

A software bill of materials per asset

Version and scope on every entry

End-of-life awareness

Technical components for applications

Impact analysis for the next CVE

Live on the asset, not in a scanner export

A parts list the rest of the platform reads from.

Asset Management

Risk Management

Dependency Mapping

On componentsand SBOM.

See how Alvor works for your role

On components
and SBOM.

On components
and SBOM.