Export SBOM Data

JFrog Security Documentation

ft:sourceType
Paligo

To export SBOM data as SPDX or CycloneDX do the following:

  1. In Artifactory, from the Xray Data tab, select Actions.

  2. Depending on the format you require, select either Export SBOM as SPDX or Export SBOM as CycloneDX.

    image2022-1-5_13-42-46.png
  3. Select one of the supported export formats according to your needs.

    image2022-1-4_16-4-8.png

    For CycloneDX, you can include/exclude VEX data in the report.

    cycloneDX.png

SPDX Format Examples

In the current implementation of generating an SPDX report, Xray covers Documentation Creation Information and Package Information that includes the following fields:

  • Package Name

  • Package Version

  • Detected licenses

  • Detected checksums when possible

PackageName: PyYAML
SPDXID: SPDXRef-Package-PyYAML-3.10
PackageVersion: 3.10
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageChecksum: SHA256: 3d8ee7cc23fef4279e6a0a46ea8df14f2bfe09703dd1e67b465bca5d4b500602
PackageHomePage: NOASSERTION
PackageLicenseConcluded: MIT
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION

Future releases will include additional data based on the SPDX specification. Note that some values in the report might have a value of No Assertion, which means Xray attempted to but couldn't reach a reasonable objective determination or intentionally didn't provide any information. For more information, see the SPDX specification version 2.2.1.

CycloneDX Format Examples

The CycloneDX implementation provides the general metadata of the report that includes information such as, Xray and Cyclone DX version, author, and report generation date. It also covers detailed component information for each of the detected components and their vulnerabilities information (VEX).

"type": "application",
  "name": "ubuntu:bionic:libsqlite3-0",
  "version": "3.22.0-1ubuntu0.4",
  "hashes": [
    {
      "alg": "SHA-256",
      "content": "1c0f71e7796c1ddb8527b9b052f9948fc8a2c1e8e9c89b084bcc36100f966714"
    }
  ],
  "licenses": [
    {
      "license": {
        "id": "GPL-2.0",
        "url": "http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html"
      }
    }
  ]
} 

The current implementation is based on CycloneDX specification version 1.4.