SPDX Application Analysis
Sonatype Lifecycle can analyze SBOMs generated in the SPDX v2.3 format.
Analyzing an SBOM
Any Sonatype scanner and most of the integrations will analyze SBOMs found in the root context of the application scan target when using the naming format listed below in the Identification Source section.
SBOMs may be targeted directly using the command line scanner (CLI), by uploading to the user interface, or by scripting using the Third-Party Scan REST API.
Any application scan may be exported as an SBOM in the CycloneDX and SPDX formats. Learn about more SBOM use cases from our SBOM guide.
Identification Source
The SPDX format can be used as an Identification Source in the Application Composition Report. Lifecycle scanners automatically incorporate discovered SPDX SBOMs in the following patterns.
spdx.xml
spdx.json
When no source is provided through the API or using the above filename prefix, "Third Party" is used as the Identification Source in the Application Composition Report.
Component Identifiers, Package URL, and SHA-1 Hash
For packages declared in an SPDX file, scanners use the following priority when identifying components. An example of each is included below.
Package-URL (PURL)
SHA-1 Hashes
Component Identifiers (i.e. name, version)
Note
Note: In the unlikely case of the same component being found more than once in the SBOM, only the data of the first component will be processed/shown.
Dependency Relationships
The SPDX 2.3 format includes a Relationships section that can be used to specify package dependency information. Scanners include this information in the scan report and for the application dependency tree.
Application Reports
In addition to using SPDX application analysis, you can export application composition reports from Lifecycle to SPDX SBOM in the following ways:
The Options Dropdown from the Scan Report
Use the SPDX REST API
Sample XML file (version 2.3) Expand source
<?xml version='1.0' encoding='UTF-8'?>
<Document>
<SPDXID>SPDXRef-DOCUMENT</SPDXID>
<spdxVersion>SPDX-2.3</spdxVersion>
<creationInfo>
<created>2023-08-21T16:49:07Z</created>
<creators>Tool: Sonatype IQ Server - 1.166.0</creators>
</creationInfo>
<name>pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b</name>
<dataLicense>CC0-1.0</dataLicense>
<hasExtractedLicensingInfos>
<licenseId>LicenseRef-No-Sources</licenseId>
<extractedText>No-Sources</extractedText>
</hasExtractedLicensingInfos>
<hasExtractedLicensingInfos>
<licenseId>LicenseRef-Not-Declared</licenseId>
<extractedText>Not-Declared</extractedText>
</hasExtractedLicensingInfos>
<documentNamespace>http://localhost:8070/ui/links/application/test-app-01/report/ea08930a666041bbbee8c9f6c0e7951b</documentNamespace>
<packages>
<SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>org.apache.logging.log4j:log4j-api</name>
<versionInfo>2.16.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<externalRefs>
<comment>source: SONATYPE</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://localhost:8070/ui/links/vln/sonatype-2022-6438</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>(Apache-2.0 AND MIT)</licenseConcluded>
<licenseDeclared>(Apache-2.0 AND MIT)</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-core</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-databind</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>org.apache.logging.log4j:log4j-core</name>
<versionInfo>2.16.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-annotations</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.sonatype.testing-test-app-1.0.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.sonatype.testing/test-app@1.0.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>(LicenseRef-No-Sources AND LicenseRef-Not-Declared)</licenseConcluded>
<licenseDeclared>(LicenseRef-No-Sources AND LicenseRef-Not-Declared)</licenseDeclared>
<name>com.sonatype.testing:test-app</name>
<versionInfo>1.0.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>NOASSERTION</licenseConcluded>
<licenseDeclared>NOASSERTION</licenseDeclared>
<name>sonatype:iq_application_Test App 01</name>
<versionInfo>ea08930a666041bbbee8c9f6c0e7951b</versionInfo>
</packages>
<relationships>
<spdxElementId>SPDXRef-DOCUMENT</spdxElementId>
<relationshipType>DESCRIBES</relationshipType>
<relatedSpdxElement>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</relatedSpdxElement>
</relationships>
</Document>Sample JSON file (version 2.3) Expand source
{
"SPDXID": "SPDXRef-DOCUMENT",
"spdxVersion": "SPDX-2.3",
"creationInfo": {
"created": "2023-08-21T16:46:39Z",
"creators": [
"Tool: Sonatype IQ Server - 1.166.0"
]
},
"name": "pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b",
"dataLicense": "CC0-1.0",
"hasExtractedLicensingInfos": [
{
"licenseId": "LicenseRef-No-Sources",
"extractedText": "No-Sources"
},
{
"licenseId": "LicenseRef-Not-Declared",
"extractedText": "Not-Declared"
}
],
"documentNamespace": "http://localhost:8070/ui/links/application/test-app-01/report/ea08930a666041bbbee8c9f6c0e7951b",
"packages": [
{
"SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "org.apache.logging.log4j:log4j-api",
"versionInfo": "2.16.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar",
"referenceType": "purl"
},
{
"comment": "source: SONATYPE",
"referenceCategory": "SECURITY",
"referenceLocator": "http://localhost:8070/ui/links/vln/sonatype-2022-6438",
"referenceType": "advisory"
}
],
"filesAnalyzed": false,
"licenseConcluded": "(Apache-2.0 AND MIT)",
"licenseDeclared": "(Apache-2.0 AND MIT)",
"name": "com.fasterxml.jackson.core:jackson-core",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "com.fasterxml.jackson.core:jackson-databind",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105",
"referenceType": "advisory"
},
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832",
"referenceType": "advisory"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar",
"referenceType": "purl"
},
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228",
"referenceType": "advisory"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "org.apache.logging.log4j:log4j-core",
"versionInfo": "2.16.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "com.fasterxml.jackson.core:jackson-annotations",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-com.sonatype.testing-test-app-1.0.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.sonatype.testing/test-app@1.0.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "(LicenseRef-No-Sources AND LicenseRef-Not-Declared)",
"licenseDeclared": "(LicenseRef-No-Sources AND LicenseRef-Not-Declared)",
"name": "com.sonatype.testing:test-app",
"versionInfo": "1.0.0"
},
{
"SPDXID": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"name": "sonatype:iq_application_Test App 01",
"versionInfo": "ea08930a666041bbbee8c9f6c0e7951b"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b"
},
{
"spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0"
},
{
"spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0"
},
{
"spdxElementId": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0"
},
{
"spdxElementId": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0"
},
{
"spdxElementId": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0"
}
]
}Analysis using the Jenkins plugin
By default, the Jenkins plugin will not evaluate SPDX files. A custom Scan Target will be required to analyze the SPDX SBOM.
Example Pipeline Script with Scan Patterns
nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/*.spdx.xml'], [scanPattern: '**/*.spdx.json']], iqStage: 'build'
Analysis using the Bamboo plugin
Scan Targets in Bamboo control what files are analyzed. To evaluate SPDX SBOM, add spdx.xml or spdx.json to the scan targets via a comma-separated list e.g.
Example Bamboo Scan Patterns
**/*.spdx.xml,**/*.spdx.json