Skip to main content

SPDX Application Analysis

Sonatype Lifecycle can analyze SBOMs generated in the SPDX v2.3 format.

Identification Source

The SPDX format can be used as an Identification Source in the Application Composition Report. Lifecycle scanners automatically incorporate discovered SPDX SBOMs in the following patterns.

The SPDX integration provides native component identification for many languages and formats. You may also upload SBOMs directly using the Third-Party Scan REST API.

Note

When no source is provided through the API or using the above filename prefix, "Third Party" is used as the Identification Source in the Application Composition Report.

Component Identifiers, Package URL, and SHA-1 Hash

For packages declared in an SPDX file, Lifecycle scanners use the following priority when identifying components. An example of each is included below.

  1. Package URL (purl)

  2. SHA-1 Hashes

  3. Component Identifiers (i.e. name, version)

Note

Note: In the unlikely case of the same component being found more than once in the SBOM, only the data of the first component will be processed/shown.

Dependency Relationships

The SPDX 2.3 format includes a Relationships section that can be used to specify package dependency information. Lifecycle scanners include this information in the scan report and for the application dependency tree.

Application Reports

In addition to using SPDX application analysis, you can export application composition reports from Lifecycle to SPDX SBOM in the following ways:

Sample SPDX SBOM for Analysis in XML format

Sample XML file (version 2.3) Expand source

<?xml version='1.0' encoding='UTF-8'?>
<Document>
    <SPDXID>SPDXRef-DOCUMENT</SPDXID>
    <spdxVersion>SPDX-2.3</spdxVersion>
    <creationInfo>
        <created>2023-08-21T16:49:07Z</created>
        <creators>Tool: Sonatype IQ Server - 1.166.0</creators>
    </creationInfo>
    <name>pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b</name>
    <dataLicense>CC0-1.0</dataLicense>
    <hasExtractedLicensingInfos>
        <licenseId>LicenseRef-No-Sources</licenseId>
        <extractedText>No-Sources</extractedText>
    </hasExtractedLicensingInfos>
    <hasExtractedLicensingInfos>
        <licenseId>LicenseRef-Not-Declared</licenseId>
        <extractedText>Not-Declared</extractedText>
    </hasExtractedLicensingInfos>
    <documentNamespace>http://localhost:8070/ui/links/application/test-app-01/report/ea08930a666041bbbee8c9f6c0e7951b</documentNamespace>
    <packages>
        <SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>Apache-2.0</licenseConcluded>
        <licenseDeclared>Apache-2.0</licenseDeclared>
        <name>org.apache.logging.log4j:log4j-api</name>
        <versionInfo>2.16.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <externalRefs>
            <comment>source: SONATYPE</comment>
            <referenceCategory>SECURITY</referenceCategory>
            <referenceLocator>http://localhost:8070/ui/links/vln/sonatype-2022-6438</referenceLocator>
            <referenceType>advisory</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>(Apache-2.0 AND MIT)</licenseConcluded>
        <licenseDeclared>(Apache-2.0 AND MIT)</licenseDeclared>
        <name>com.fasterxml.jackson.core:jackson-core</name>
        <versionInfo>2.14.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>Apache-2.0</licenseConcluded>
        <licenseDeclared>Apache-2.0</licenseDeclared>
        <name>com.fasterxml.jackson.core:jackson-databind</name>
        <versionInfo>2.14.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <comment>source: NVD</comment>
            <referenceCategory>SECURITY</referenceCategory>
            <referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105</referenceLocator>
            <referenceType>advisory</referenceType>
        </externalRefs>
        <externalRefs>
            <comment>source: NVD</comment>
            <referenceCategory>SECURITY</referenceCategory>
            <referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832</referenceLocator>
            <referenceType>advisory</referenceType>
        </externalRefs>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <externalRefs>
            <comment>source: NVD</comment>
            <referenceCategory>SECURITY</referenceCategory>
            <referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228</referenceLocator>
            <referenceType>advisory</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>Apache-2.0</licenseConcluded>
        <licenseDeclared>Apache-2.0</licenseDeclared>
        <name>org.apache.logging.log4j:log4j-core</name>
        <versionInfo>2.16.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>Apache-2.0</licenseConcluded>
        <licenseDeclared>Apache-2.0</licenseDeclared>
        <name>com.fasterxml.jackson.core:jackson-annotations</name>
        <versionInfo>2.14.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-com.sonatype.testing-test-app-1.0.0</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/com.sonatype.testing/test-app@1.0.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>(LicenseRef-No-Sources AND LicenseRef-Not-Declared)</licenseConcluded>
        <licenseDeclared>(LicenseRef-No-Sources AND LicenseRef-Not-Declared)</licenseDeclared>
        <name>com.sonatype.testing:test-app</name>
        <versionInfo>1.0.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>NOASSERTION</licenseConcluded>
        <licenseDeclared>NOASSERTION</licenseDeclared>
        <name>sonatype:iq_application_Test App 01</name>
        <versionInfo>ea08930a666041bbbee8c9f6c0e7951b</versionInfo>
    </packages>
    <relationships>
        <spdxElementId>SPDXRef-DOCUMENT</spdxElementId>
        <relationshipType>DESCRIBES</relationshipType>
        <relatedSpdxElement>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</relatedSpdxElement>
    </relationships>
</Document>

Sample SPDX SBOM for Analysis in JSON format

Sample JSON file (version 2.3) Expand source

{
    "SPDXID": "SPDXRef-DOCUMENT",
    "spdxVersion": "SPDX-2.3",
    "creationInfo": {
        "created": "2023-08-21T16:46:39Z",
        "creators": [
            "Tool: Sonatype IQ Server - 1.166.0"
        ]
    },
    "name": "pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b",
    "dataLicense": "CC0-1.0",
    "hasExtractedLicensingInfos": [
        {
            "licenseId": "LicenseRef-No-Sources",
            "extractedText": "No-Sources"
        },
        {
            "licenseId": "LicenseRef-Not-Declared",
            "extractedText": "Not-Declared"
        }
    ],
    "documentNamespace": "http://localhost:8070/ui/links/application/test-app-01/report/ea08930a666041bbbee8c9f6c0e7951b",
    "packages": [
        {
            "SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "Apache-2.0",
            "licenseDeclared": "Apache-2.0",
            "name": "org.apache.logging.log4j:log4j-api",
            "versionInfo": "2.16.0"
        },
        {
            "SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar",
                    "referenceType": "purl"
                },
                {
                    "comment": "source: SONATYPE",
                    "referenceCategory": "SECURITY",
                    "referenceLocator": "http://localhost:8070/ui/links/vln/sonatype-2022-6438",
                    "referenceType": "advisory"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "(Apache-2.0 AND MIT)",
            "licenseDeclared": "(Apache-2.0 AND MIT)",
            "name": "com.fasterxml.jackson.core:jackson-core",
            "versionInfo": "2.14.0"
        },
        {
            "SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "Apache-2.0",
            "licenseDeclared": "Apache-2.0",
            "name": "com.fasterxml.jackson.core:jackson-databind",
            "versionInfo": "2.14.0"
        },
        {
            "SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "comment": "source: NVD",
                    "referenceCategory": "SECURITY",
                    "referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105",
                    "referenceType": "advisory"
                },
                {
                    "comment": "source: NVD",
                    "referenceCategory": "SECURITY",
                    "referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832",
                    "referenceType": "advisory"
                },
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar",
                    "referenceType": "purl"
                },
                {
                    "comment": "source: NVD",
                    "referenceCategory": "SECURITY",
                    "referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228",
                    "referenceType": "advisory"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "Apache-2.0",
            "licenseDeclared": "Apache-2.0",
            "name": "org.apache.logging.log4j:log4j-core",
            "versionInfo": "2.16.0"
        },
        {
            "SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "Apache-2.0",
            "licenseDeclared": "Apache-2.0",
            "name": "com.fasterxml.jackson.core:jackson-annotations",
            "versionInfo": "2.14.0"
        },
        {
            "SPDXID": "SPDXRef-maven-com.sonatype.testing-test-app-1.0.0",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/com.sonatype.testing/test-app@1.0.0?type=jar",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "(LicenseRef-No-Sources AND LicenseRef-Not-Declared)",
            "licenseDeclared": "(LicenseRef-No-Sources AND LicenseRef-Not-Declared)",
            "name": "com.sonatype.testing:test-app",
            "versionInfo": "1.0.0"
        },
        {
            "SPDXID": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "NOASSERTION",
            "name": "sonatype:iq_application_Test App 01",
            "versionInfo": "ea08930a666041bbbee8c9f6c0e7951b"
        }
    ],
    "relationships": [
        {
            "spdxElementId": "SPDXRef-DOCUMENT",
            "relationshipType": "DESCRIBES",
            "relatedSpdxElement": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b"
        },
        {
            "spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0"
        },
        {
            "spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0"
        },
        {
            "spdxElementId": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0"
        },
        {
            "spdxElementId": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0"
        },
        {
            "spdxElementId": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0"
        }
    ]
}

Analysis using the Jenkins plugin

By default, the Jenkins plugin will not evaluate SPDX files. A custom Scan Target will be required to analyze the SPDX SBOM.

Example Pipeline Script with Scan Patterns

nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/*.spdx.xml'], [scanPattern: '**/*.spdx.json']], iqStage: 'build'

To find more information on how to configure Jenkins, refer to Sonatype Platform Plugin for Jenkins.

Analysis using the Bamboo plugin

Scan Targets in Bamboo control what files are analyzed. To evaluate SPDX SBOM, add spdx.xml or spdx.json to the scan targets via a comma-separated list e.g.

Example Bamboo Scan Patterns

**/*.spdx.xml,**/*.spdx.json

To find more information on how to configure Bamboo, refer to Sonatype for Bamboo.