Skip to main content
Skip table of contents

Create a Project by Importing an SBOM File

Overview

Mend.io enables you to import a previously generated SBOM file, to create a new project in the application.

An SBOM file traditionally specifies the libraries, code packages, and other third-party components that are used in your project.

Once imported, licensing and vulnerability data will be associated with your project’s dependencies, like any other project scanned into the application. Projects created via SBOM imports will be regularly monitored for new vulnerabilities and updates, like any other project in the application.

Prerequisites

Mend.io allows you to import SBOM files exported by the following tools:

The supported SBOM standards are CycloneDX (versions 1.4, 1.5) and SPDX (versions 2.2, 2.3).

The supported formats are JSON and XML.

Getting it done

Create a new Project by Uploading an SBOM File via the Add Project Wizard

Note: This section will show you how to create a new project. To update an existing one, please follow the steps in the relevant article.

To create a new project out of an existing SBOM file, you will need to upload the SBOM file to the product in which you would like the new project created.

  1. Navigate to the Products menu and select the product in which you would like to create the new project:

    image-20240926-170006.png

  2. On the product page, click the “Add Project” button:

    image-20240926-165614.png

  3. A. In the Project Details wizard, specify a Project Name and Description.
    B. Check the “Import SBOM” box, to reveal the option to upload an SBOM file.
    C. Click “Choose File” to browse your file system and select the desired SBOM file which meets the required specifications.

    image-20240926-191252.png

  4. Click the “Create” button (image-20240926-171135.png) located at the bottom-right corner of the wizard.

At this stage, you may see a “Background process in progress” message at the top of the project page, indicating that the new project is being set up.

image-20240926-191828.png

Note: Projects created from an SBOM import will carry a tag, to differentiate them from other projects, as follows:

  • Key: SBOMImport; Value: true

Compare your SBOMs

Mend.io recommends using the existing “Project Comparison” report to compare SBOMs.

Limitations

  1. Source libraries in SBOM Export files generated by Mend.io are ignored.

  2. No vulnerability/VEX data in the SBOM file gets imported. Vulnerability information in the newly created/updated project is based on the Mend.io database.

  3. No licensing data in the SBOM file gets imported. Licensing information in the newly created/updated project is based on the Mend.io database.

  4. Keywords support limitations:

    • For SPDX, Mend.io supports the properties below:

      CODE 
      "DEPENDS_ON", 
"DYNAMIC_LINK", 
"STATIC_LINK", 
"CONTAINS", 
"DESCRIBE"

    • For CycloneDX, Mend.io supports the “dependsOn” property.
      Example:

      CODE 
      "ref": "pkg:maven/com.google.apis/google-api-services-ml@v1-rev20210212-1.31.0?type=jar", 
"dependsOn": [ "pkg:maven/com.google.api-client/google-api-client@1.31.1?type=jar" ]
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close