Application Versions
Manage access to the application and view the SBOMs imported for the application. A separate SBOM is saved for each version of your application.
Import new SBOM versions for your application
View a summary of risk for each version of your application
Selecting a version of your SBOM opens the Bill of Material view
Importing
Import SBOMs and archives by selecting the Import button. Supported file types include CycloneDX, SPDX, and most non-proprietary binary archive files.
Compliance Stage
The SBOM Manager uses the Compliance
stage when importing SBOMs and Binary files. This stage is only available for the SBOM Manager solution as a target stage for Continuous Monitoring.
After selecting Import, select the Choose File button and navigate to the file
Valid SBOMs are analyzed and the version ID is extracted from the file. Binaries are evaluated in the next step
Select the Finish Import button to start the evaluation.
The SBOM will take a few minutes before showing up on the display.
Once the analysis has finished, select the version to open the bill of material view
Validation Errors on Import
Not all SBOMs are created at the same level of quality or fully meet the format's specification requirements. When validation errors occur during import the user has the option to proceed with the import at the risk of missing data in the Bill of Materials report.
Software Bill of Materials that failed validation have the warning message "Invalid SBOM Detected
" at the top of the view and a warning icon remains to indicate the issue.
Supported Files for Importing
This table lists the supported files for importing. While individual project files are supported we recommend including the application in an archive file such as a zip or tar.gz.
Format | Schema Versions |
---|---|
CycloneDX | 1.1, 1.2, 1.3, 1.4, 1.5, 1.6 (XML) 1.4, 1.5, 1.6 (JSON) |
SPDX | 2.3 (XML, JSON) |
Archive files | .ear, .war, .jar, .zip, .tar.gz, etc review the full list of supported formats in the Analysis documentation. |
Converting between SPDX and CycloneDX formats
The SPDX and CyconeDX formats are the most popular software bill of materials options. These standards are developed for different use cases and may not completely align with the information found within. Converting between SPDX and CycloneDX formats may result in the loss of data.
Review our blog post to learn more about comparing and converting between SBOM formats and the CycloneDX documentation on the high-level overview of the information lost during conversion.