Skip to main content

Importing SBOMs

Import SBOMs and archives by selecting the Import button from the Applications View.

Supported file types include CycloneDX, SPDX, and most non-proprietary binary archive files.

SBOMs cannot use UTF-16; convert them to UTF-8 before importing.

Compliance Stage

The SBOM Manager uses the Compliance stage when importing SBOMs and Binary files. This stage is only available for the SBOM Manager solution as a target stage for Continuous Monitoring.

  1. After selecting Import, select the Choose File button and navigate to the file

  2. Valid SBOMs are analyzed and the version ID is extracted from the file. Binaries are evaluated in the next step

    SBM-application-import-file-selected.png

  3. Select the Finish Import button to start the evaluation.

    The SBOM takes a few minutes before showing up on the display.

    SBM-application-import-notice.png

  4. Once the analysis has finished, select the version to open the bill of material view

Validation Errors on Import

Not all SBOMs are created at the same level of quality or fully meet the format's specification requirements. When validation errors occur during import the user has the option to proceed with the import at the risk of missing data in the Bill of Materials report.

Software Bill of Materials that failed validation have the warning message "Invalid SBOM Detected" at the top of the view and a warning icon remains to indicate the issue.

sbm-application-validation-error.png

Skip Validation

When importing an invalid SBOM, you have the option to import it as is by checking the option to "Skip validation and import anyway". This method only imports the components section of the SBOM

sbm-skip-validation.png
  • No Support for VEX Annotations

    Using this method only imports the components section of the SBOM and the resulting report may not be annotated with VEX annotations.

  • Only Export Orginal SBOM when Invalid

    When import invalid SBOMs, you will only be able to export the original SBOM. Most other ations are disabled.

  • Validation Error Details

    Use the validation error details to make the original SBOM valid for importing and managing in SBOM Manager.

Similar Matching for SBOMs

When scanning binary files, Sonatype can determine when an open-source component has been modified from the versions found in open-source repositories. These components are labeled with the property sonatype:match_state as a similar match.

See the topic Component Identification: Match States to learn more.

Screenshot_2024-12-09_at_2_39_37_PM.png

Binary File Names

When analyzing binary files, the name of the original binary files is stored with the component data and included in the user interface, the exported SBOM, and the PDF report. When storing the value in the SBOM the file name is included as the custom property sonatype:original_file.

Screenshot_2024-12-09_at_2_45_19_PM.png

Supported Files for Importing

This table lists the supported files for importing. While individual project files are supported we recommend including the application in an archive file such as a zip or tar.gz.

Format

Schema Versions

CycloneDX

1.1, 1.2, 1.3, 1.4, 1.5, 1.6 (XML)

1.4, 1.5, 1.6 (JSON)

SPDX

2.3 (XML, JSON)

Archive files

.ear, .war, .jar, .zip, .tar.gz, etc

review the full list of supported formats in the Analysis documentation.

Converting between SPDX and CycloneDX formats

The SPDX and CyconeDX formats are the most popular software bill of materials options. These standards are developed for different use cases and may not completely align with the information found within. Converting between SPDX and CycloneDX formats may result in the loss of data.

Review our blog post to learn more about comparing and converting between SBOM formats and the CycloneDX documentation on the high-level overview of the information lost during conversion.

Support for Container Analysis

Import SBOMs for your containers using Sonatype Container Security support in SBOM Manager. These scans use the Sonatype CLI and the container client to download images and analysis them for vulnerabilities.

This feature supports the following:

  • The “compliance” stage is required to used for SBOM Manage.

  • Use of the Sonatype CLI is limited to scan targets with the “container:” prefix

  • Use of the Jenkins plugin is not supported.

Example Analysis

java -jar nexus-iq-cli.jar -a username:password -i app -s http://localhost:8070 -t compliance container:nginx:1.27.2

Learn more on Sonatype Container Security documentation.

Merge Multiple SBOMs

When storing multiple SBOMS for a single application, say from various microservices, you may combine them into a single SBOM for the whole release.

This is accomplished with the following workflow:

  1. Follow the naming convention for including SBOMs in an archive. CycloneDX, SPDX

  2. Combine the SBOMs into an archive file such as a zip or tar.gz

  3. Import the archive as a binary analysis

The archive may include a mix of SBOMs as well as the application binaries to generate a single SBOM.