---
title: "Do open source SBOM generation tools introduce risk?"
description: "Introducing any software into your environment may introduce risk and therefore an appropriate supplier assessment should be conducted, including the risk of new software and tools introduced."
category: "Frequently Asked Questions"
section: "Supply Chain Management Software Dependencies"
keywords: ["introduce", "tools", "generation", "source", "risk", "sbom", "open", "software"]
source_url: "https://support.ketryx.com/hc/en-us/articles/33469434642445-Do-open-source-SBOM-generation-tools-introduce-risk"
last_reviewed: 2026-06-11
---

# Do open source SBOM generation tools introduce risk?

Introducing any software into your environment may introduce risk and therefore an appropriate supplier assessment should be conducted, including the risk of new software and tools introduced. Something like this would most likely be included in a list of the non-product software used to develop that device - which could be listed in a spreadsheet, or in a plan.

## Related articles

- [Can a System Requirement trace from a Risk, in addition to a parent User Need Requirement, especially when identified during a preliminary risk assessment?](can-a-system-requirement-trace-from-a-risk-in-addition-to-a-parent-user-need.md)
- [How does Ketryx manage vulnerabilities as opposed to product and patient related risks?](how-does-ketryx-manage-vulnerabilities-as-opposed-to-product-and-patient.md)
- [Why don't cybersecurity risk management fields copy over across all projects that share a repository in the SBoM module? Do I have to copy over information from the other project or is there an easy way to move this data?](why-don-t-cybersecurity-risk-management-fields-copy-over-across-all-projects.md)
- [SBOM Transitive Dependencies](sbom-transitive-dependencies.md)
- [How is Ketryx different from JIRA tracking and Bitbucket?](how-is-ketryx-different-from-jira-tracking-and-bitbucket.md)
