Skip to main content

Importing SBOMs

Import SBOMs and archives by selecting the Import button from the Applications View.

Supported file types include CycloneDX, SPDX, and most non-proprietary binary archive files.

SBOMs cannot use UTF-16; convert them to UTF-8 before importing.

Compliance Stage

The SBOM Manager uses the Compliance stage when importing SBOMs and Binary files. This stage is only available for the SBOM Manager solution as a target stage for Continuous Monitoring.

  1. After selecting Import, select the Choose File button and navigate to the file

    SBM-application-import-view.png

  2. Valid SBOMs are analyzed and the version ID is extracted from the file. Binaries are evaluated in the next step

    SBM-application-import-file-selected.png

  3. Select the Finish Import button to start the evaluation.

    SBM-application-import-evaluating.png

    The SBOM will take a few minutes before showing up on the display.

    SBM-application-import-notice.png

  4. Once the analysis has finished, select the version to open the bill of material view

Validation Errors on Import

Not all SBOMs are created at the same level of quality or fully meet the format's specification requirements. When validation errors occur during import the user has the option to proceed with the import at the risk of missing data in the Bill of Materials report.

Software Bill of Materials that failed validation have the warning message "Invalid SBOM Detected" at the top of the view and a warning icon remains to indicate the issue.

sbm-application-validation-error.png

Similar Matching for SBOMs

When scanning binary files, Sonatype can determine when an open-source component has been modified from the versions found in open-source repositories. These components are labeled with the property sonatype:match_state as a similar match.

See the topic Component Identification: Match States to learn more.

Screenshot_2024-12-09_at_2_39_37_PM.png

Binary File Names

When analyzing binary files, the name of the original binary files is stored with the component data and included in the user interface, the exported SBOM, and the PDF report. When storing the value in the SBOM the file name is included as the custom property sonatype:original_file.

Screenshot_2024-12-09_at_2_45_19_PM.png

Supported Files for Importing

This table lists the supported files for importing. While individual project files are supported we recommend including the application in an archive file such as a zip or tar.gz.

Format

Schema Versions

CycloneDX

1.1, 1.2, 1.3, 1.4, 1.5, 1.6 (XML)

1.4, 1.5, 1.6 (JSON)

SPDX

2.3 (XML, JSON)

Archive files

.ear, .war, .jar, .zip, .tar.gz, etc

review the full list of supported formats in the Analysis documentation.

Converting between SPDX and CycloneDX formats

The SPDX and CyconeDX formats are the most popular software bill of materials options. These standards are developed for different use cases and may not completely align with the information found within. Converting between SPDX and CycloneDX formats may result in the loss of data.

Review our blog post to learn more about comparing and converting between SBOM formats and the CycloneDX documentation on the high-level overview of the information lost during conversion.

Merge Multiple SBOMs

When storing multiple SBOMS for a single application, say from various microservices, you may combine them into a single SBOM for the whole release.

This is accomplished with the following workflow:

  1. Follow the naming convention for including SBOMs in an archive. CycloneDX, SPDX

  2. Combine the SBOMs into an archive file such as a zip or tar.gz

  3. Import the archive as a binary analysis

The archive may include a mix of SBOMs as well as the application binaries to generate a single SBOM.