SPDX Application Analysis
Sonatype Lifecycle can analyze SBOMs generated in the SPDX v2.3 format.
Identification Source
The SPDX format can be used as an Identification Source in the Application Composition Report. Lifecycle scanners automatically incorporate discovered SPDX SBOMs in the following patterns.
spdx.xml
spdx.json
The SPDX integration provides native component identification for many languages and formats. You may also upload SBOMs directly using the Third-Party Scan REST API.
When no source is provided through the API or using the above filename prefix, "Third Party" is used as the Identification Source in the Application Composition Report.
Component Identifiers, Package URL, and SHA-1 Hash
For packages declared in an SPDX file, Lifecycle scanners use the following priority when identifying components. An example of each is included below.
Package URL (purl)
SHA-1 Hashes
Component Identifiers (i.e. name, version)
Note
Note: In the unlikely case of the same component being found more than once in the SBOM, only the data of the first component will be processed/shown.
Dependency Relationships
The SPDX 2.3 format includes a Relationships section that can be used to specify package dependency information. Lifecycle scanners include this information in the scan report and for the application dependency tree.
Application Reports
In addition to using SPDX application analysis, you can export application composition reports from Lifecycle to SPDX SBOM in the following ways:
The Options Dropdown from the Scan Report
Use the SPDX REST API
Sample SPDX SBOM for Analysis in XML format
Sample XML file (version 2.3) Expand source
<?xml version='1.0' encoding='UTF-8'?>
<Document>
<SPDXID>SPDXRef-DOCUMENT</SPDXID>
<spdxVersion>SPDX-2.3</spdxVersion>
<creationInfo>
<created>2023-08-21T16:49:07Z</created>
<creators>Tool: Sonatype IQ Server - 1.166.0</creators>
</creationInfo>
<name>pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b</name>
<dataLicense>CC0-1.0</dataLicense>
<hasExtractedLicensingInfos>
<licenseId>LicenseRef-No-Sources</licenseId>
<extractedText>No-Sources</extractedText>
</hasExtractedLicensingInfos>
<hasExtractedLicensingInfos>
<licenseId>LicenseRef-Not-Declared</licenseId>
<extractedText>Not-Declared</extractedText>
</hasExtractedLicensingInfos>
<documentNamespace>http://localhost:8070/ui/links/application/test-app-01/report/ea08930a666041bbbee8c9f6c0e7951b</documentNamespace>
<packages>
<SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>org.apache.logging.log4j:log4j-api</name>
<versionInfo>2.16.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<externalRefs>
<comment>source: SONATYPE</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://localhost:8070/ui/links/vln/sonatype-2022-6438</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>(Apache-2.0 AND MIT)</licenseConcluded>
<licenseDeclared>(Apache-2.0 AND MIT)</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-core</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-databind</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>org.apache.logging.log4j:log4j-core</name>
<versionInfo>2.16.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-annotations</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.sonatype.testing-test-app-1.0.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.sonatype.testing/test-app@1.0.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>(LicenseRef-No-Sources AND LicenseRef-Not-Declared)</licenseConcluded>
<licenseDeclared>(LicenseRef-No-Sources AND LicenseRef-Not-Declared)</licenseDeclared>
<name>com.sonatype.testing:test-app</name>
<versionInfo>1.0.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>NOASSERTION</licenseConcluded>
<licenseDeclared>NOASSERTION</licenseDeclared>
<name>sonatype:iq_application_Test App 01</name>
<versionInfo>ea08930a666041bbbee8c9f6c0e7951b</versionInfo>
</packages>
<relationships>
<spdxElementId>SPDXRef-DOCUMENT</spdxElementId>
<relationshipType>DESCRIBES</relationshipType>
<relatedSpdxElement>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</relatedSpdxElement>
</relationships>
</Document>Sample SPDX SBOM for Analysis in JSON format
Sample JSON file (version 2.3) Expand source
{
"SPDXID": "SPDXRef-DOCUMENT",
"spdxVersion": "SPDX-2.3",
"creationInfo": {
"created": "2023-08-21T16:46:39Z",
"creators": [
"Tool: Sonatype IQ Server - 1.166.0"
]
},
"name": "pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b",
"dataLicense": "CC0-1.0",
"hasExtractedLicensingInfos": [
{
"licenseId": "LicenseRef-No-Sources",
"extractedText": "No-Sources"
},
{
"licenseId": "LicenseRef-Not-Declared",
"extractedText": "Not-Declared"
}
],
"documentNamespace": "http://localhost:8070/ui/links/application/test-app-01/report/ea08930a666041bbbee8c9f6c0e7951b",
"packages": [
{
"SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "org.apache.logging.log4j:log4j-api",
"versionInfo": "2.16.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar",
"referenceType": "purl"
},
{
"comment": "source: SONATYPE",
"referenceCategory": "SECURITY",
"referenceLocator": "http://localhost:8070/ui/links/vln/sonatype-2022-6438",
"referenceType": "advisory"
}
],
"filesAnalyzed": false,
"licenseConcluded": "(Apache-2.0 AND MIT)",
"licenseDeclared": "(Apache-2.0 AND MIT)",
"name": "com.fasterxml.jackson.core:jackson-core",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "com.fasterxml.jackson.core:jackson-databind",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105",
"referenceType": "advisory"
},
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832",
"referenceType": "advisory"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar",
"referenceType": "purl"
},
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228",
"referenceType": "advisory"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "org.apache.logging.log4j:log4j-core",
"versionInfo": "2.16.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "com.fasterxml.jackson.core:jackson-annotations",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-com.sonatype.testing-test-app-1.0.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.sonatype.testing/test-app@1.0.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "(LicenseRef-No-Sources AND LicenseRef-Not-Declared)",
"licenseDeclared": "(LicenseRef-No-Sources AND LicenseRef-Not-Declared)",
"name": "com.sonatype.testing:test-app",
"versionInfo": "1.0.0"
},
{
"SPDXID": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"name": "sonatype:iq_application_Test App 01",
"versionInfo": "ea08930a666041bbbee8c9f6c0e7951b"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b"
},
{
"spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0"
},
{
"spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0"
},
{
"spdxElementId": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0"
},
{
"spdxElementId": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0"
},
{
"spdxElementId": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0"
}
]
}Analysis using the Jenkins plugin
By default, the Jenkins plugin will not evaluate SPDX files. A custom Scan Target will be required to analyze the SPDX SBOM.
Example Pipeline Script with Scan Patterns
nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/*.spdx.xml'], [scanPattern: '**/*.spdx.json']], iqStage: 'build'
To find more information on how to configure Jenkins, refer to Sonatype Platform Plugin for Jenkins.
Analysis using the Bamboo plugin
Scan Targets in Bamboo control what files are analyzed. To evaluate SPDX SBOM, add spdx.xml or spdx.json to the scan targets via a comma-separated list e.g.
Example Bamboo Scan Patterns
**/*.spdx.xml,**/*.spdx.json
To find more information on how to configure Bamboo, refer to Sonatype for Bamboo.