search
WebsiteBlog

CycloneDX SBOM export

Learn how to create a CycloneDX SBOM Export.

circle-info

This feature is only available for SCA Enterprisearrow-up-right users. Already have an account? Click here to upgrade.arrow-up-right

hashtag
What is CycloneDX?

CycloneDX, developed by the Open Web Application Security Project (OWASP), is an open common standard for communicating SBOM information, a data format.

hashtag
Dependency relations

In the dependencies array, you can find a reference number (ref) for each component and an array of each direct dependency of that dependency (depends_on). The roots of the relational trees will reference to the files in the project, together with the direct dependencies that it contains. By traversing the dependencies array, it is possible to build the entire dependency tree.

In example below, you can see the direct dependency `webpack:4.28.4` depending on `terser-webpack-plugin:1.2.1` which in turn depends on `terser:3.14.1`.


    "dependencies": [
    {
        "ref": "e771afadf654cc12c324a0dd716518dd",
        "depends_on": ["cpe:2.3::~:webpack:4.28.4:~:~:~:~:~:~:~"]
    },
    {
        "ref": "cpe:2.3::~:webpack:4.28.4:~:~:~:~:~:~:~",
        "depends_on": ["cpe:2.3::~:terser-webpack-plugin:1.2.1:~:~:~:~:~:~:~"]
    },
    {
        "ref": "cpe:2.3::~:terser-webpack-plugin:1.2.1:~:~:~:~:~:~:~",
        "depends_on": ["cpe:2.3::~:terser:3.14.1:~:~:~:~:~:~:~"]
    },
    {
        "ref": "cpe:2.3::~:terser:3.14.1:~:~:~:~:~:~:~",
        "depends_on": []
    }
    ]

Here is how this would be visualised in the user interface:

hashtag
Root fixes

Under Recommendation, you can find information about the first version of the specific vulnerable dependency that is safe, as well as the first version of the root or direct dependency that does not contain a vulnerable version of the indirect dependency. See example below:

Last updated

Was this helpful?