Skip to main content

Application Versions

Manage access to the application and view the SBOMs imported for the application. A separate SBOM is saved for each version of your application.

  • Import new SBOM versions for your application

  • View a summary of risk for each version of your application

  • Selecting a version of your SBOM opens the Bill of Material view

SBM-application-version-view.png

Importing

Import SBOMs and archives by selecting the Import button. Supported file types include CycloneDX, SPDX, and most non-proprietary binary archive files.

Compliance Stage

The SBOM Manager uses the Compliance stage when importing SBOMs and Binary files. This stage is only available for the SBOM Manager solution as a target stage for Continuous Monitoring.

  1. After selecting Import, select the Choose File button and navigate to the file

    SBM-application-import-view.png
  2. Valid SBOMs are analyzed and the version ID is extracted from the file. Binaries are evaluated in the next step

    SBM-application-import-file-selected.png
  3. Select the Finish Import button to start the evaluation.

    SBM-application-import-evaluating.png

    The SBOM will take a few minutes before showing up on the display.

    SBM-application-import-notice.png
  4. Once the analysis has finished, select the version to open the bill of material view

Validation Errors on Import

Not all SBOMs are created at the same level of quality or fully meet the format's specification requirements. When validation errors occur during import the user has the option to proceed with the import at the risk of missing data in the Bill of Materials report.

Software Bill of Materials that failed validation have the warning message "Invalid SBOM Detected" at the top of the view and a warning icon remains to indicate the issue.

sbm-application-validation-error.png

Supported Files for Importing

This table lists the supported files for importing. While individual project files are supported we recommend including the application in an archive file such as a zip or tar.gz.

Format

Schema Versions

CycloneDX

1.1, 1.2, 1.3, 1.4, 1.5, 1.6 (XML)

1.4, 1.5, 1.6 (JSON)

SPDX

2.3 (XML, JSON)

Archive files

.ear, .war, .jar, .zip, .tar.gz, etc

review the full list of supported formats in the Analysis documentation.

Converting between SPDX and CycloneDX formats

The SPDX and CyconeDX formats are the most popular software bill of materials options. These standards are developed for different use cases and may not completely align with the information found within. Converting between SPDX and CycloneDX formats may result in the loss of data.

Review our blog post to learn more about comparing and converting between SBOM formats and the CycloneDX documentation on the high-level overview of the information lost during conversion.