CycloneDX Application Analysis

Nexus Lifecycle analysis has expanded support of the CycloneDX v1.4 standard, the industry’s most advanced software bill of materials (SBOM) format. An SBOM is a list of all packages and libraries included in your application. It’s the digital equivalent of a manufacturing bill of materials. Just as a bill of materials includes all sub-assemblies, the SBOM also includes transitive dependencies or your components’ dependencies. The SBOM makes it easy to see if any risky packages are included in an application.

Identification Source

The CycloneDX format can be used as an Identification Source in the Application Composition Report.  Lifecycle scanners automatically incorporate discovered SBOMs in the following patterns.

The CycloneDX integration provides native component identification for many languages and formats.  Find a complete list at the CycloneDX Tool Center.  You may also upload SBOMs directly using the Third-Party Scan REST API.

When no source is provided through the API or using the above filename prefix, "Third Party" is used as the Identification Source in the Application Composition Report.

Component Identifiers, Package URL, and SHA-1 Hash

For libraries declared in the SBOM, Lifecycle scanners use the following priority when identifying components.  An example of each is included below.

  1. Package URL (purl)
  2. SHA-1 Hashes
  3. Component Identifiers (group/scope/namespace, name, version)

Note: In the unlikely case of the same component being found more than once in the sbom, only the data of the first component will be processed/shown.

NEW IN RELEASE 133

Dependency Relationships 

The CycloneDX 1.4+ format includes dependency graph information of the direct and transitive relationships between dependencies.  The Lifecycle scanners include this information in the scan report and for the application dependency tree.  See the example below.

Innersource Components

CycloneDX can be used to identify Innersource producers as well as when they are consumed by other applications as dependencies.  Similarly, this can be used to identify proprietary components.  When processing the report, Lifecycle will use the identity information provided in the CycloneDX file when the component is unknown; greatly reducing the number of component unknown violations.  This would include in the report any security and license data provided in the SBOM.  See the examples of a producer and consumer below.

Application Reports

In conjunction with using CycloneDX to do the application analysis, you can also export any application report in Lifecycle to the CycloneDX format.

Hashes included in the exported CycloneDX report will consist of a truncated (first 20 digits) sha-1 rather than the full hash.

Example SBOMs

XML (version 1.4) file content

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
  <metadata>
    <component type="application" bom-ref="acme-app">
      <name>Acme Application</name>
      <version>9.1.1</version>
    </component>
  </metadata>
  <components>
    <component type="library">
      <name>acme-library</name>
      <version>1.0.0</version>
      <hashes>
        <hash alg="SHA-1">9188560f22e0b73070d2efce670c74af2bdf30af</hash>
        <hash alg="SHA-256">d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964</hash>
      </hashes>
      <cpe>cpe:/a:acme:application:9.1.1</cpe>
    </component>
    <component type="library">
      <group>com.fasterxml.jackson.core</group>
      <name>jackson-databind</name>
      <version>2.8.0</version>
      <licenses>
        <license>
          <id>Apache-2.0</id>
        </license>
      </licenses>
      <purl>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar</purl>
    </component>
  </components>
  <dependencies>
    <dependency ref="acme-app">
      <dependency ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar" />
      <dependency ref="pkg:maven/org.acme/persistence@3.1.0?type=jar" />
    </dependency>
    <dependency ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar">
      <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar" />
    </dependency>
    <dependency ref="pkg:maven/org.acme/persistence@3.1.0?type=jar">
      <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar" />
    </dependency>
    <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar" />
  </dependencies>
  <vulnerabilities>
    <vulnerability>
      <id>CVE-2018-7489</id>
      <source>
        <name>NVD</name>
        <url>https://nvd.nist.gov/vuln/detail/CVE-2019-9997</url>
      </source>
      <ratings>
        <rating>
          <source>
            <name>NVD</name>
            <url>https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&amp;version=3.0</url>
          </source>
          <score>9.8</score>
          <severity>critical</severity>
          <method>CVSSv3</method>
          <vector>AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</vector>
        </rating>
      </ratings>
      <cwes>
        <cwe>184</cwe>
        <cwe>502</cwe>
      </cwes>
      <description>FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.</description>
      <recommendation>Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.</recommendation>
      <advisories>
        <advisory>
          <title>GitHub Commit</title>
          <url>https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2</url>
        </advisory>
      </advisories>
      <created>2021-01-01T00:00:00.000Z</created>
      <published>2021-01-01T00:00:00.000Z</published>
      <updated>2021-01-01T00:00:00.000Z</updated>
      <analysis>
        <state>not_affected</state>
        <justification>code_not_reachable</justification>
        <responses>
          <response>will_not_fix</response>
          <response>update</response>
        </responses>
        <detail>An optional explanation of why the application is not affected by the vulnerable component.</detail>
      </analysis>
      <affects>
        <target>
          <ref>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar</ref>
        </target>
      </affects>
    </vulnerability>
  </vulnerabilities>
</bom>

JSON (version 1.4) file content

{
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
      "timestamp": "2022-02-21T17:20:41Z",
      "component": {
         "name": "Acme Application",
         "version": "9.1.1",
         "type": "application",
         "bom-ref": "acme-app"
      }
   },
   "components": [
      {
         "name": "acme-library",
         "version": "1.0.0",
         "hashes": [
            {
               "alg": "SHA-1",
               "content": "9188560f22e0b73070d2efce670c74af2bdf30af"
            },
            {
               "alg": "SHA-256",
               "content": "d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964"
            }
         ],
         "cpe": "cpe:/a:acme:application:9.1.1",
         "type": "library"
      },
      {
         "group": "com.fasterxml.jackson.core",
         "name": "jackson-databind",
         "version": "2.8.0",
         "licenses": [
            {
               "license": {
                  "id": "Apache-2.0"
               }
            }
         ],
         "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar",
         "type": "library"
      }
   ],
   "dependencies": [
      {
         "ref": "acme-app",
         "dependsOn": [
            "pkg:maven/org.acme/web-framework@1.0.0?type=jar",
            "pkg:maven/org.acme/persistence@3.1.0?type=jar"
         ]
      },
      {
         "ref": "pkg:maven/org.acme/web-framework@1.0.0?type=jar",
         "dependsOn": [
            "pkg:maven/org.acme/common-util@3.0.0?type=jar"
         ]
      },
      {
         "ref": "pkg:maven/org.acme/persistence@3.1.0?type=jar",
         "dependsOn": [
            "pkg:maven/org.acme/common-util@3.0.0?type=jar"
         ]
      },
      {
         "ref": "pkg:maven/org.acme/common-util@3.0.0?type=jar",
         "dependsOn": []
      }
   ],
   "vulnerabilities": [
      {
         "id": "CVE-2018-7489",
         "source": {
            "name": "NVD",
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997"
         },
         "ratings": [
            {
               "source": {
                  "name": "NVD",
                  "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0"
               },
               "score": 9.8,
               "severity": "critical",
               "method": "CVSSv3",
               "vector": "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            }
         ],
         "cwes": [
            184,
            502
         ],
         "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
         "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.",
         "advisories": [
            {
               "title": "GitHub Commit",
               "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2"
            }
         ],
         "created": "2021-01-01T00:00:00Z",
         "published": "2021-01-01T00:00:00Z",
         "updated": "2021-01-01T00:00:00Z",
         "analysis": {
            "state": "not_affected",
            "justification": "code_not_reachable",
            "response": [
               "will_not_fix",
               "update"
            ],
            "detail": "An optional explanation of why the application is not affected by the vulnerable component."
         },
         "affects": [
            {
               "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar"
            }
         ]
      }
   ]
}

Dependency Graph

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
  <metadata>    
    <component type="application" bom-ref="acme-app">
      <name>Acme Application</name>
      <version>9.1.1</version>
      <purl>pkg:maven/org.acme/acme-app@9.1.1?type=jar</purl>
    </component>
  </metadata>
  <components>
    <component type="framework" bom-ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar">
      <group>org.acme</group>
      <name>web-framework</name>
      <version>1.0.0</version>
      <purl>pkg:maven/org.acme/web-framework@1.0.0?type=jar</purl>
    </component>
    <component type="library" bom-ref="pkg:maven/org.acme/persistence@3.1.0?type=jar">
      <group>org.acme</group>
      <name>persistence</name>
      <version>3.1.0</version>
      <purl>pkg:maven/org.acme/persistence@3.1.0?type=jar</purl>
    </component>
    <component type="library" bom-ref="pkg:maven/org.acme/common-util@3.0.0?type=jar">
      <group>org.acme</group>
      <name>common-util</name>
      <version>3.0.0</version>
      <purl>pkg:maven/org.acme/common-util@3.0.0?type=jar</purl>
    </component>
  </components>
  <dependencies>
    <dependency ref="acme-app">
      <dependency ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar"/>
      <dependency ref="pkg:maven/org.acme/persistence@3.1.0?type=jar"/>
    </dependency>
    <dependency ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar">
      <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar"/>
    </dependency>
    <dependency ref="pkg:maven/org.acme/persistence@3.1.0?type=jar">
      <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar"/>
    </dependency>
    <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar"/>
  </dependencies>
</bom>

Innersource Producer

<?xml version="1.0" encoding="UTF-8"?>
<bom version="1" xmlns="http://cyclonedx.org/schema/bom/1.2">
	<metadata>
		<component type="application" bom-ref="pkg:npm/producer@1.0.0">
			<name>producer</name>
			<version>1.0.0</version>
		</component>
	</metadata>
	<components>
		<component type="library" bom-ref="pkg:npm/some-awesome-component@1.0">
			<name>some-awesome-component</name>
			<version>1.0</version>
			<purl>pkg:npm/some-awesome-component@1.0</purl>
		</component>
	</components>
	<dependencies>
		<dependency ref="pkg:npm/producer@1.0.0">
			<dependency ref="pkg:npm/some-awesome-component@1.0"/>
		</dependency>
		<dependency ref="pkg:npm/some-awesome-component@1.0"/>
	</dependencies>
</bom>

Innersource Consumer

<?xml version="1.0" encoding="UTF-8"?>
<bom version="1" xmlns="http://cyclonedx.org/schema/bom/1.2">
	<metadata>
		<component type="application" bom-ref="pkg:npm/consumer@1.0.0">
			<name>consumer</name>
			<version>1.0.0</version>
		</component>
	</metadata>
	<components>
	    <component type="library" bom-ref="pkg:npm/producer@1.0">
			<name>producer</name>
			<version>1.0</version>
			<purl>pkg:npm/producer@1.0</purl>
		</component>
		<component type="library" bom-ref="pkg:npm/some-awesome-component@1.0">
			<name>some-awesome-component</name>
			<version>1.0</version>
			<purl>pkg:npm/some-awesome-component@1.0</purl>
		</component>
	</components>
	<dependencies>
		<dependency ref="pkg:npm/consumer@1.0.0">
			<dependency ref="pkg:npm/producer@1.0"/>
		</dependency>
		<dependency ref="pkg:npm/producer@1.0">
			<dependency ref="pkg:npm/some-awesome-component@1.0"/>
		</dependency>
		<dependency ref="pkg:npm/some-awesome-component@1.0"/>
	</dependencies>
</bom>

Analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the bom.xml.  A custom Scan Target is needed.

nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/bom.xml'], [scanPattern: '**/*-bom.xml']], iqStage: 'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.

Analyze using the Bamboo plugin

Bamboo Scan Targets control what files are examined.  To evaluate CycloneDX, add bom.xml to the scan targets via a comma-separated list e.g.

**/bom.xml,**/*-bom.xml

To find more information on how to configure Bamboo please go to the Nexus IQ for Bamboo.