SPDX SBOM export
Learn how to create a SPDX SBOM Export.
Last updated
Was this helpful?
Learn how to create a SPDX SBOM Export.
Last updated
Was this helpful?
SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.
The relationships between components are presented in the relationships array. Debricked SPDX SBOMs support following two types of relationship objects:
DESCRIBES which is used for declaring each file and dependency component in the BOM.
DEPENDENCY_OF which denotes a direct relationship between two components.
In the objects describing the direct dependencies of a file, the 'relatedSpdxElement' will contain the reference of that file. Relationships between dependencies will instead reference the parent dependency. By traversing the dependencies array, it is possible to build the entire dependency tree.
In the example below, you can see direct dependency `webpack-4.28.4` referenced as a dependency of a file. Component `terser-webpack-plugin-1.2.1` is in turn referenced as a dependency of `webpack-4.28.4` and lastly, `terser-3.14.1` is a dependency of `terser-webpack-plugin-1.2.1`.
Here is how this would be visualised in the user interface:
