Skip to main content
Skip table of contents

Update a Project by Importing an SBOM File

Overview

Mend.io enables you to import a previously generated SBOM file, to update an existing project in the application.

An SBOM file traditionally specifies the libraries, code packages, and other third-party components that are used in your project.

Once imported, licensing and vulnerability data will be associated with your project’s dependencies, like any other project scanned into the application. Projects created or updated via SBOM imports will be regularly monitored for new vulnerabilities and updates.

Prerequisites

Mend.io allows you to import SBOM files exported by the following tools:

The supported SBOM standards are CycloneDX (versions 1.4, 1.5) and SPDX (versions 2.2, 2.3).

The supported formats are JSON and XML.

Getting it done

Update an Existing Project by Uploading an SBOM File via the Project Administration Screen

Note: This section will show you how to update an existing project. To create a new one, please follow the steps in the relevant article.

To import an SBOM report, you will need to upload a previously generated SBOM report file to the application via the Project Administration page:

  1. Find your project in the Projects menu and click it:

    image-20240927-143943.png

    Alternatively, you can navigate to the relevant product and locate the project under “Project Summary”.

  2. Clicking the cogwheel button (image-20240923-182605.png) at the far right will take you to the Project Administration page.

  3. Click “Update Project”:

    image-20240923-182720.png
  4. In the Update Project window, click “Choose File” to browse your file system for the SBOM file. Click “Update” to upload the selected file.

    image-20240923-183154.png

Note: The SBOM import will override the project’s existing inventory.

Compare your SBOMs

Mend.io recommends using the existing “Project Comparison” report to compare SBOMs.

Limitations

  1. Source libraries in SBOM Export files generated by Mend.io are ignored.

  2. No vulnerability/VEX data in the SBOM file gets imported. Vulnerability information in the newly created/updated project is based on the Mend.io database.

  3. No licensing data in the SBOM file gets imported. Licensing information in the newly created/updated project is based on the Mend.io database.

  4. Keywords support limitations:

    • For SPDX, Mend.io supports the properties below:

      CODE
      "DEPENDS_ON", 
      "DYNAMIC_LINK", 
      "STATIC_LINK", 
      "CONTAINS", 
      "DESCRIBE"
    • For CycloneDX, Mend.io supports the “dependsOn” property.
      Example:

      CODE
      "ref": "pkg:maven/com.google.apis/google-api-services-ml@v1-rev20210212-1.31.0?type=jar", 
      "dependsOn": [ "pkg:maven/com.google.api-client/google-api-client@1.31.1?type=jar" ]
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.