To export SBOM data as SPDX or CycloneDX do the following:
In Artifactory, from the Xray Data tab, select Actions.
Depending on the format you require, select either Export SBOM as SPDX or Export SBOM as CycloneDX.
Select one of the supported export formats according to your needs.
For CycloneDX, you can include/exclude VEX data in the report.
SPDX Format Examples
In the current implementation of generating an SPDX report, Xray covers Documentation Creation Information and Package Information that includes the following fields:
Package Name
Package Version
Detected licenses
Detected checksums when possible
PackageName: PyYAML SPDXID: SPDXRef-Package-PyYAML-3.10 PackageVersion: 3.10 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageChecksum: SHA256: 3d8ee7cc23fef4279e6a0a46ea8df14f2bfe09703dd1e67b465bca5d4b500602 PackageHomePage: NOASSERTION PackageLicenseConcluded: MIT PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Future releases will include additional data based on the SPDX specification. Note that some values in the report might have a value of No Assertion, which means Xray attempted to but couldn't reach a reasonable objective determination or intentionally didn't provide any information. For more information, see the SPDX specification version 2.2.1.
CycloneDX Format Examples
The CycloneDX implementation provides the general metadata of the report that includes information such as, Xray and Cyclone DX version, author, and report generation date. It also covers detailed component information for each of the detected components and their vulnerabilities information (VEX).
"type": "application", "name": "ubuntu:bionic:libsqlite3-0", "version": "3.22.0-1ubuntu0.4", "hashes": [ { "alg": "SHA-256", "content": "1c0f71e7796c1ddb8527b9b052f9948fc8a2c1e8e9c89b084bcc36100f966714" } ], "licenses": [ { "license": { "id": "GPL-2.0", "url": "http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html" } } ] }
The current implementation is based on CycloneDX specification version 1.4.