We are pleased to announce the release of Software Bill of Materials (SBOM) files for all TX Text Control .NET NuGet packages starting with version 34.0, as well as for TX Spell .NET 11.0. These SBOMs are provided in the CycloneDX JSON format and are digitally signed with detached PKCS#7 signatures.

A SBOM is a machine-readable inventory of the software components, dependencies, versions, and cryptographic hashes used in a software product. SBOMs have recently become a key requirement in enterprise software procurement, software supply chain security, vulnerability management, and regulatory compliance initiatives, such as the European Union's Cyber Resilience Act (CRA).

The CRA took effect in December 2024. Most obligations for manufacturers of products with digital elements will take effect in December 2027, while vulnerability reporting obligations will begin earlier, in September 2026. The regulation establishes software supply chain transparency and vulnerability management as mandatory requirements for vendors operating in the European market.

The provided SBOMs are generated in the CycloneDX format and align with the requirements of BSI Technical Guideline TR-03183-2, published by the German Federal Office for Information Security (BSI). This guideline defines the detailed requirements for enterprise-grade SBOMs, including dependency relationships, cryptographic hashes, component provenance, licensing information, and metadata for deployable artifacts.

What Do the Text Control SBOMs Contain?

Text Control's Software Bill of Materials (SBOM) provides a structured overview of the components and dependencies included in our distributed NuGet packages. Designed to support enterprise compliance, software supply chain transparency, and security scanning workflows, the SBOMs are provided in the industry-standard CycloneDX format.

"TX Text Control is developed almost entirely in-house and only relies on a handful of external dependencies, resulting in compact and easy-to-review SBOMs."

The SBOMs contain:

• package name and version information
• supplier and package metadata
• lists of first-party and third-party dependencies
• transitive dependencies included through referenced packages
• included third-party native libraries, including statically linked libraries where applicable
• package identifiers and licensing metadata
• a dependency graph for the package the SBOM describes

Fortunately, we develop almost the entire TX Text Control technology stack in-house, so we have very few external dependencies. This makes our SBOMs short and easy to review.

We provide SBOMs for our products to help our customers meet their compliance obligations under the CRA and other regulatory frameworks. This enhances the security and transparency of our software supply chain. We are dedicated to helping our customers navigate the ever-changing landscape of software supply chain security and compliance.

The following NuGet packages are currently covered:

• TXTextControl.TextControl.ASP.SDK
• TXTextControl.TextControl.Core.SDK
• TXTextControl.TextControl.WinForms.SDK
• TXTextControl.TextControl.WPF.SDK

• TXTextControl.Web
• TXTextControl.Web.DocumentEditor.Backend
• TXTextControl.Web.DocumentViewer

• TXTextControl.TXSpell.Core.SDK
• TXTextControl.TXSpell.WinForms.SDK
• TXTextControl.TXSpell.WPF.SDK

For every published package, the following files are available:

File	Description
.cyclonedx.json	The CycloneDX SBOM file in JSON format.
.cyclonedx.json.p7s	A detached PKCS#7 signature for the SBOM file, allowing users to verify the authenticity and integrity of the SBOM.

SBOMs in Enterprise Software Supply Chain Security and Compliance

Ensuring the security of the software supply chain has become one of the most important aspects of enterprise software development and procurement. Modern applications depend on a large number of direct and transitive dependencies. Without transparency into these dependencies, organizations cannot effectively:

• Identify affected components during security incidents
• Automate vulnerability scanning
• Assess software provenance
• Meet compliance requirements
• Implement secure software lifecycle processes

Modern enterprise environments are increasingly integrating SBOMs into critical security and compliance workflows. These workflows include CI/CD pipelines, vulnerability scanning platforms, container registries, procurement validation systems, SIEM and governance solutions, and automated VEX and CSAF processes.

SBOMs include detailed dependency relationships, deployable file hashes, exact binary versions, and digital signatures. These features allow SBOMs to be consumed directly by enterprise security tooling and software composition analysis (SCA) platforms. SBOMs support automated validation, vulnerability assessment, and software supply chain transparency.

Integration Into Security Pipelines

SBOMs can be integrated into CI/CD pipelines to automate security checks and compliance validation. For instance, an SBOM can be generated and automatically scanned for known vulnerabilities using SCA tools during the build process. If critical vulnerabilities are detected, the build fails, which prevents vulnerable software from being deployed. Typical tools for this include:

• Dependency-Track
• OWASP Dependency-Check
• Anchore
• Snyk
• Black Duck
• GitHub Advanced Security
• Microsoft Defender for DevOps
• Container scanning and SCA platforms supporting CycloneDX

Enterprise Focus and Transparency

At Text Control, we have always built our enterprise software development around long-term stability, deterministic behavior, compliance, and transparency. Our ongoing ISO/IEC 27001 efforts are an important part of this strategy. The publication of signed SBOMs is another significant step toward enhancing transparency and supply chain security for our customers.

However, transparency in the software supply chain goes beyond publishing technical metadata files.

When selecting software library vendors, organizations should evaluate not only whether SBOMs are available but also where the software is developed and who writes the code.

Transparency about dependencies is an important aspect of establishing trust in software. Transparency about software origin is equally important. Organizations should ask:

• In which countries is the software developed?
• Is development outsourced?
• Are subcontractors involved?
• Who has access to the source code?
• Which entities participate in the build and release process?

At Text Control, our engineering teams in Germany perform all core development, engineering, and product maintenance entirely in-house. We do not outsource core product development or rely on external subcontractors to implement our document processing engines and core technologies.

For enterprise customers operating in regulated industries such as government, healthcare, finance, legal technology, and other compliance-sensitive sectors, software provenance and engineering transparency are critical factors in vendor selection.

The availability of signed, standards-based SBOMs is an important part of our larger commitment to transparency, trust, and enterprise-grade software development.

How to Access the SBOMs

Signed CycloneDX SBOM files are available for all supported TX Text Control and TX Spell .NET NuGet packages, starting with versions 34.0 and 11.0, respectively.

Customers with an active subscription can contact our support and sales teams to obtain the corresponding SBOM files and detached digital signatures for their licensed products.

If you have any questions about our SBOMs, software supply chain security, or compliance initiatives, please reach out to us. We are dedicated to helping our customers confidently and transparently navigate the complex landscape of software supply chain security and compliance.