Overview
Xray allows you to import SBOM's into the platform - allowing multiple use cases:
- Enriching SBOM generated from external tools with Vulnerability information (VEX) and Legal Obligations.
- enriching Artifacts with SBOM data for aggregated SBOM & Scan results.
SBOM Import is currently supported for CycloneDX format only
How Import SBOM to Xray
- Upload a CycloneDX file with ".cdx.json" / ".cdx.xml" suffix to a indexed generic repository
- Done! the scanned sbom will now appear in your scan list
How to Aggregate Artifacts with SBOM data
- add the ".cdx.json" or ".cdx.xml" SBOM file to the scanned artifact (Docker,Archive etc.)
- Done! the refernced information in the SBOM will now be added to your artifact scan results
How to Enrich SBOM with Data using the JFrog CLI
Go to Enrich your SBOM