Xray SBOM Report

JFrog Security Documentation



Starting from Xray version 3.40.x and above, Xray has introduced the capability to generate a Software Bills of Materials (SBOM) report, that will enable DevSecOps engineers to understand and analyze the dependencies of their components.

SBOM is a readable inventory of software components and dependencies. The report will include SBOM data of your components, including unidentified components and open-source software. This enables you to:

  • Understand components and code dependencies.

  • Gain visibility into open-source licenses for the components in use.

  • Be aware of the end-of-life of components, and which components need to be updated.

  • Identify vulnerable components or recently identified vulnerabilities.

  • Enforce organizational compliance and policies.

How does it Work?

After performing an Xray scan, you can export the scan data as an SBOM report using one of the two supported SBOM formats:

  • SPDX: Software Package Data Exchange (SPDX) is a standard format for communicating the components of software packages, including information about license copyrights. It includes several mechanisms that are especially useful for open-source software.

    Supported export formats in Xray: tag:value, JSON, and xlsx.

  • CycloneDX: CycloneDX is a lightweight SBOM specification designed specifically for software security requirements and related risk analysis. Starting with Xray version 3.67.x and above, the SBOM also includes VEX information, such as vulnerability details, exploitability, and detailed analysis. CycloneDX designed to be flexible, easily adaptable, with implementations for popular build systems.

    Supported export formats in Xray: JSON, and XML.

Export SBOM Data

To export SBOM data as SPDX or CycloneDX do the following:

  1. In Artifactory, from the Xray Data tab, select Actions.

  2. Depending on the format you require, select either Export SBOM as SPDX or Export SBOM as CycloneDX.

  3. Select one of the supported export formats according to your needs.

SPDX Format Examples

In the current implementation of generating an SPDX report, Xray covers Documentation Creation Information and Package Information that includes the following fields:

  • Package Name

  • Package Version

  • Detected licenses

  • Detected checksums when possible

PackageName: PyYAML
SPDXID: SPDXRef-Package-PyYAML-3.10
PackageVersion: 3.10
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageChecksum: SHA256: 3d8ee7cc23fef4279e6a0a46ea8df14f2bfe09703dd1e67b465bca5d4b500602
PackageHomePage: NOASSERTION
PackageLicenseConcluded: MIT
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION

Future releases will include additional data based on the SPDX specification. Note that some values in the report might have a value of No Assertion, which means Xray attempted to but couldn't reach a reasonable objective determination or intentionally didn't provide any information. For more information, see the SPDX specification version 2.2.1.

CycloneDX Format Examples

The CycloneDX implementation provides the general metadata of the report that includes information such as, Xray and Cyclone DX version, author, and report generation date. It also covers detailed component information for each of the detected components and their vulnerabilities information (VEX).

"type": "application",
  "name": "ubuntu:bionic:libsqlite3-0",
  "version": "3.22.0-1ubuntu0.4",
  "hashes": [
      "alg": "SHA-256",
      "content": "1c0f71e7796c1ddb8527b9b052f9948fc8a2c1e8e9c89b084bcc36100f966714"
  "licenses": [
      "license": {
        "id": "GPL-2.0",
        "url": "http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html"

The current implementation is based on CycloneDX specification version 1.4.

REST API Support

Exporting SBOM data is also supported through the Export Component Details REST API.Export Component Details