CycloneDX Application Analysis

NEW IN RELEASE 77

What is Supported

By scanning files with the following pattern <source>-bom.xml containing CycloneDX data (version 1.1 supported).

An example,

cyclonedx-bom.xml

The source is used as an identification source which will be displayed in the Application Composition Report.

bom.xml is a valid option.  If no source provided, Third Party is used by default for identification source in the Application Composition Report.

Remember initially only components with <purl> will be processed.

Steps to analyze using the CLI 

Create the cyclonedx-bom.xml 

For detailed instructions on CycloneDX schema please refer to the CycloneDX scanner documentation. 

Example file content

<?xml version="1.0" encoding="UTF-8"?>
<bom version="1" xmlns="http://cyclonedx.org/schema/bom/1.1">
    <components>
        <component type="library">
            <publisher>Ronald Oussoren</publisher>
            <name>altgraph</name>
            <version>0.10.2</version>
            <description>Python graph (network) package</description>
            <hashes>
                <hash alg="SHA-256">628ad4e48be307970476ed0a9ab5efaf52e188bff115ab97d9e3d27fbe95fb60</hash>
                <hash alg="MD5">059ae244d667cc673e16826c2b96046f</hash>
            </hashes>
            <licenses>
                <license>
                    <name>MIT</name>
                </license>
            </licenses>
            <purl>pkg:pypi/altgraph@0.10.2</purl>
            <modified>false</modified>
        </component>
        <component type="library">
            <publisher>Bob Ippolito</publisher>
            <name>bdist-mpkg</name>
            <version>0.5.0</version>
            <description>Builds Mac OS X installer packages from distutils</description>
            <hashes>
                <hash alg="SHA-256">d42a697e0869d12dd451c9ef687ac34f45d44227569cfabec69bddabb40bb89b</hash>
                <hash alg="MD5">db4742ffa9afc8a0cf6c55c2aeb7309f</hash>
            </hashes>
            <licenses>
                <license>
                    <name>MIT License</name>
                </license>
            </licenses>
            <purl>pkg:pypi/bdist-mpkg@0.5.0</purl>
            <modified>false</modified>
        </component>
    </components>
</bom>

Run a scan

Invoke a CLI scan of the directory containing cyclonedx-bom.xml.  Instructions on how to do this can be found here https://help.sonatype.com/integrations/nexus-iq-cli.

The output from the cli

Dashboard results

Report results