Software Bill of Materials

A Software Bill of Materials (SBOM) is a machine-readable inventory of every component shipped in the ClipCatalog desktop application — its Flutter and Dart packages, Python sidecar dependencies, vendored binaries (FFmpeg, whisper.cpp, ExifTool, GPU enumeration tools), AI models, and the Flutter framework / Dart SDK used to build the release. Each release of ClipCatalog ships with its own SBOM in CycloneDX 1.6 JSON format.

Publishing this file at a stable URL lets regulators, security researchers, and SBOM-aggregation tools (Dependency-Track, GUAC, OSV scanners) ingest the inventory without downloading the full installer. The same files also travel inside the installer at <install>\licenses\sbom\ for offline auditing.

This addresses EU Cyber Resilience Act Annex I Part II §1, which requires manufacturers to identify and document the components contained in a product with digital elements. CycloneDX 1.6 is one of the two formats accepted by BSI TR-03183-2 (the German implementation guidance most often cited under the CRA).

Stable URL

The latest released SBOM is always available at:

🔗 /security/sbom/latest.cdx.json

This file is a byte-identical copy of the highest-versioned SBOM below — automation that wants a single, fixed URL can poll it directly (currently v0.19.1). Per-version files have permanent, immutable URLs of the form /security/sbom/clipcatalog-vMAJOR.MINOR.PATCH.cdx.json.

Available SBOMs

• clipcatalog-v0.19.1.cdx.json
  • Version: v0.19.1
  • CycloneDX spec: 1.6
  • Components: 278
  • Generated: 2026-05-26T14:34:01Z
  • File size: 369.0 KB

Scope

These SBOMs cover only the user-facing desktop application — the same binaries shipped in the Windows installer. The cloud backend (AWS Lambda licensing API, payment webhook processor, mail sender) is documented separately and not published publicly: those components never reach end-user machines, and exposing the internal function names and dependency graph would broaden the attack surface for no auditing benefit. Regulators with a legitimate request can obtain the backend SBOM from support@clipcatalogpro.com.

What's in the SBOM

Each component is identified by a Package URL (PURL):

• pkg:pub/<name>@<version> for Dart and Flutter packages from pub.dev
• pkg:pypi/<name>@<version> for Python sidecar dependencies
• pkg:github/<org>/<repo>@<commit> for upstream-on-GitHub components (Flutter framework, Flutter engine, Qdrant, FFmpeg builds)
• pkg:huggingface/<org>/<name>@<commit> for AI model weights
• pkg:generic/<name>@<version> for everything else (vendored binaries, first-party code)

Per-file SHA-256 hashes are recorded for every shipped binary; license metadata mirrors the third-party licenses page. The SBOM does not contain vulnerability data — public security advisories for ClipCatalog are published separately under /security/ as per-CVE pages plus a machine-readable CSAF 2.x feed.

Verifying authenticity

These files are served over HTTPS from clipcatalogpro.com with a public TLS certificate logged in Certificate Transparency. For an independent check, compare the SHA-256 of the downloaded file against the per-file hash published in the corresponding release's installer (the same SBOM ships at <install>\licenses\sbom\) or the release-pipeline receipt in this project's git history.

Contact

Questions about a component, a missing entry, or a request to produce the backend SBOM under a specific regulatory mandate: contact support@clipcatalogpro.com. For coordinated security vulnerability disclosure, see the Security & CVD policy.

Manufacturer: PAULUS DIGITAL SOLUTIONS LLC.