search
WebsiteBlog

SPDX SBOM export

Learn how to create a SPDX SBOM Export.

circle-info

This feature is only available for SCA Enterprisearrow-up-right users. Already have an account? Click here to upgrade.arrow-up-right

hashtag
What is SPDX?

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.

circle-info

Unlike the CycloneDX SBOM, the SPDX SBOM does not contain vulnerability information.

hashtag
Dependency relations

The relationships between components are presented in the relationships array. OpenText Core SCA SPDX SBOMs support following two types of relationship objects:

  • DESCRIBES which is used for declaring each file and dependency component in the BOM.

  • DEPENDENCY_OF which denotes a direct relationship between two components.

In the objects describing the direct dependencies of a file, the 'relatedSpdxElement' will contain the reference of that file. Relationships between dependencies will instead reference the parent dependency. By traversing the dependencies array, it is possible to build the entire dependency tree.

In the example below, you can see direct dependency `webpack-4.28.4` referenced as a dependency of a file. Component `terser-webpack-plugin-1.2.1` is in turn referenced as a dependency of `webpack-4.28.4` and lastly, `terser-3.14.1` is a dependency of `terser-webpack-plugin-1.2.1`.

"relationships": [
    {
        "spdxElementId": "SPDXRef-DOCUMENT",
        "relatedSpdxElement": "SPDXRef-bda845e38ee2becb214eaa4c995d4951d755faceb38a4ef6e7092699592d7efe",
        "relationshipType": "DESCRIBES"
    },
    {
        "spdxElementId": "SPDXRef-DOCUMENT",
        "relatedSpdxElement": "SPDXRef-pkg-npm-terser-3.14.1",
        "relationshipType": "DESCRIBES"
    },
    {
        "spdxElementId": "SPDXRef-DOCUMENT",
        "relatedSpdxElement": "SPDXRef-pkg-npm-terser-webpack-plugin-1.2.1",
        "relationshipType": "DESCRIBES"
    },
    {
        "spdxElementId": "SPDXRef-DOCUMENT",
        "relatedSpdxElement": "SPDXRef-pkg-npm-webpack-4.28.4",
        "relationshipType": "DESCRIBES"
    },
    {
        "spdxElementId": "SPDXRef-pkg-npm-terser-3.14.1",
        "relatedSpdxElement": "SPDXRef-pkg-npm-terser-webpack-plugin-1.2.1",
        "relationshipType": "DEPENDENCY_OF"
    },
    {
        "spdxElementId": "SPDXRef-pkg-npm-terser-webpack-plugin-1.2.1",
        "relatedSpdxElement": "SPDXRef-pkg-npm-webpack-4.28.4",
        "relationshipType": "DEPENDENCY_OF"
    },
    {
        "spdxElementId": "SPDXRef-pkg-npm-webpack-4.28.4",
        "relatedSpdxElement": "SPDXRef-bda845e38ee2becb214eaa4c995d4951d755faceb38a4ef6e7092699592d7efe",
        "relationshipType": "DEPENDENCY_OF"
    }
],

Here is how this would be visualised in the user interface:

Last updated

Was this helpful?