Learn how to create a CycloneDX SBOM Export.
CycloneDX, developed by the Open Web Application Security Project (OWASP), is an open common standard for communicating SBOM information, a data format.
In the dependencies array, you can find a reference number (ref) for each component and an array of each direct dependency of that dependency (depends_on). The roots of the relational trees will reference to the files in the project, together with the direct dependencies that it contains. By traversing the dependencies array, it is possible to build the entire dependency tree.
In example below, you can see the direct dependency `webpack:4.28.4` depending on `terser-webpack-plugin:1.2.1` which in turn depends on `terser:3.14.1`.
Here is how this would be visualised in the user interface:
Under Recommendation, you can find information about the first version of the specific vulnerable dependency that is safe, as well as the first version of the root or direct dependency that does not contain a vulnerable version of the indirect dependency. See example below:
"dependencies": [
{
"ref": "e771afadf654cc12c324a0dd716518dd",
"depends_on": ["cpe:2.3::~:webpack:4.28.4:~:~:~:~:~:~:~"]
},
{
"ref": "cpe:2.3::~:webpack:4.28.4:~:~:~:~:~:~:~",
"depends_on": ["cpe:2.3::~:terser-webpack-plugin:1.2.1:~:~:~:~:~:~:~"]
},
{
"ref": "cpe:2.3::~:terser-webpack-plugin:1.2.1:~:~:~:~:~:~:~",
"depends_on": ["cpe:2.3::~:terser:3.14.1:~:~:~:~:~:~:~"]
},
{
"ref": "cpe:2.3::~:terser:3.14.1:~:~:~:~:~:~:~",
"depends_on": []
}
]"recommendation": "Multiple components are affected by this vulnerability.
Component: pkg:npm/[email protected]
Safe version: 3.2.2.
Root fixes: Update root dependency pkg:npm/[email protected] to 0.16.2.
---------
Component: pkg:npm/[email protected]
Safe version: 2.6.4.
Root fixes: Update root dependency pkg:npm/[email protected] to 1.3.4.",
"created": "2022-04-06T17:15:00+00:00",
"published": "2022-04-06T17:15:00+00:00",
"updated": "2022-04-06T17:15:00+00:00",
"affects": [
{
"ref": "pkg:npm/[email protected]"
},
{
"ref": "pkg:npm/[email protected]"
}
],
"references": [
{
"id": "GHSA-fwr7-v2mv-hh25",
"source": {
"url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25",
"name": "GitHub"
}
}Learn about SBOM export reports.
A Software Bill of Materials (SBOM) is a record of the supply chain relationships between the components used when creating software. The record lists all components of a product, including all open source software, which can be helpful for both the developers and other stakeholders, such as investors and legal teams.
The SBOM includes the following data points:
Proof of license - A reference to the source from where the license information is fetched. This field is applicable only for CycloneDX SBOM.
License text - The actual text that the license consists of. This field is applicable only for CycloneDX SBOM.
Copyright statement - Displays the person or organization who holds the copyright.
Open Source Selectlink - A link to the dependency page in Open Source Select, where you can find additional information on the specific open-source package.
Keep in mind that license information may differ depending on the package and the specific version used.
In order to generate the CycloneDX or SPDX SBOM Export:
Click Generate export on the top right corner of the page.
Under Scope, choose one of the following options:
Global export: Export the SBOM for all repositories you have access to.
Repositories: Select specific repositories for which you want to view the data and then choose the corresponding branch. If you select multiple repositories, the
If you have already integrated your repository with OpenText Core SCA, you can generate a CycloneDX or SPDX SBOM by fetching your data through the API.
To use OpenText Core SCA REST API, you should authenticate first.
Endpoint: /api/{1.0}/open/sbom/generate
Following is an example of a request using curl to generate an SPDX SBOM (to generate a CycloneDX SBOM use "format": "CycloneDX"):
You can send the following parameters in the body of the request: commitId, email, repositoryIds, branch, locale. You can choose to add license and vulnerability data, using licenses: true/false and vulnerabilities: true/false.
If you provide a commitId, the branch and repositoryIds will be ignored. If you leave the branch field empty, the report is generated for the identified default branch (most likely 'main' or 'master', if applicable) of the selected repository. It is also possible to create an SBOM for all repositories by not specifying any repositoryIds.
Once you send the request, you will receive your SBOM via email, which will be sent to you in the .json format. If you can’t find the email in your inbox, make sure to check the SPAM folder. If you do not provide an email address, the SBOM will be sent to the email of the user who created the request.
It is also possible to generate a CycloneDX or SPDX SBOM and download it directly through the API.
As part of the response of the /api/1.0/open/sbom/generate endpoint, a reportUuid is sent, which can be used in the /api/1.0/open/sbom/download endpoint.
Following is an example response from the /api/1.0/open/sbom/generate endpoint:
Following is an example request for the /api/1.0/open/sbom/download endpoint:
If you do not want the report to also be sent to your email, it is possible to turn this off by setting the "sendEmail" value to "false" in the /api/1.0/open/sbom/generate endpoint.
Click the following link for an example on exporting CycloneDX SBOM:
Click the following link to view the list of commands to create an SBOM using the CLI.
Dependency relations - Contains information on each component and their direct dependencies. See the Dependency relations sections on the CycloneDX SBOM export and SPDX SBOM export pages for more details.
Root Fixes - This data can be found under Recommendation. It consists of information about the first version of the specific vulnerable dependency that is safe, as well as the first version of the root or direct dependency that does not contain a vulnerable version of the indirect dependency. See the section Root Fixes for more details. This field is applicable only for CycloneDX SBOM.
Reachability Analysis - Displays the Reachability Analysis results for each vulnerability (if Reachability Analysis has been run). This field is applicable only for CycloneDX SBOM.
Reachable - Vulnerability confirmed reachable in code.
Not Reachable - Vulnerability not reachable through any execution path.
Unknown - Insufficient information to determine reachability.
Groups: Export the SBOM for a specific group of repositories.
Under Export Type, select CycloneDX or SPDX under SBOM.
Click Generate.
Check your email for the exported data, which will be sent to you in the .json format. If you cannot find the email in your inbox, check the spam folder.
curl -X 'POST' \
'https://debricked.com/api/1.0/open/sbom/generate' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json' \
-d '{
"format": "SPDX-2.3",
"email": "[email protected]",
"repositoryIds": [
1
],
"vulnerabilities": true,
"rootFixes": true,
"licenses": true,
"sendEmail": true
}'{
"message": "The report has started generating and can be downloaded through the 'download' endpoint once ready, by using the reportUuId stated below. Be aware that it might take some time before it's finished",
"reportUuid": "<report_uuid>",
"notes": [
"Example note"
]
}curl -X 'GET' \
'https://debricked.com/api/1.0/open/sbom/download?reportUuid=<report_uuid>' \
-H 'accept: */*' \
-H 'Authorization: Bearer <token>'Learn how to create a SPDX SBOM Export.
SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.
The relationships between components are presented in the relationships array. OpenText Core SCA SPDX SBOMs support following two types of relationship objects:
DESCRIBES which is used for declaring each file and dependency component in the BOM.
DEPENDENCY_OF which denotes a direct relationship between two components.
In the objects describing the direct dependencies of a file, the 'relatedSpdxElement' will contain the reference of that file. Relationships between dependencies will instead reference the parent dependency. By traversing the dependencies array, it is possible to build the entire dependency tree.
In the example below, you can see direct dependency `webpack-4.28.4` referenced as a dependency of a file. Component `terser-webpack-plugin-1.2.1` is in turn referenced as a dependency of `webpack-4.28.4` and lastly, `terser-3.14.1` is a dependency of `terser-webpack-plugin-1.2.1`.
Here is how this would be visualised in the user interface:
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-bda845e38ee2becb214eaa4c995d4951d755faceb38a4ef6e7092699592d7efe",
"relationshipType": "DESCRIBES"
},
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-pkg-npm-terser-3.14.1",
"relationshipType": "DESCRIBES"
},
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-pkg-npm-terser-webpack-plugin-1.2.1",
"relationshipType": "DESCRIBES"
},
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-pkg-npm-webpack-4.28.4",
"relationshipType": "DESCRIBES"
},
{
"spdxElementId": "SPDXRef-pkg-npm-terser-3.14.1",
"relatedSpdxElement": "SPDXRef-pkg-npm-terser-webpack-plugin-1.2.1",
"relationshipType": "DEPENDENCY_OF"
},
{
"spdxElementId": "SPDXRef-pkg-npm-terser-webpack-plugin-1.2.1",
"relatedSpdxElement": "SPDXRef-pkg-npm-webpack-4.28.4",
"relationshipType": "DEPENDENCY_OF"
},
{
"spdxElementId": "SPDXRef-pkg-npm-webpack-4.28.4",
"relatedSpdxElement": "SPDXRef-bda845e38ee2becb214eaa4c995d4951d755faceb38a4ef6e7092699592d7efe",
"relationshipType": "DEPENDENCY_OF"
}
],