Skip to main content
Skip table of contents

Create a Project using a Dependencies SBOM Import

Overview

Mend.io enables you to import a previously generated Dependencies SBOM report, to create a new project out of it, that you can manage in the Mend AppSec Platform.

An SBOM report traditionally specifies the libraries, code packages, and other third-party components that are used in your project.

Getting it done

Upload an SBOM Report File via the Mend Platform UI

To import an SBOM report, you will need to upload a previously generated SBOM report file to the Mend Platform. Here’s how to do it:

  • Navigate to the “Manage Projects” screen:

image-20240702-112404.png

  • Click the + Add Project button at the far right corner of the screen:

image-20240626-082538.png

  • In the Add Project wizard, follow these steps:

  1. Project Name - Specify a name for the new project that will be created out of the SBOM report.

  2. Application - Specify the application that the new project will be a part of.

  3. Import Dependencies SBOM - Make sure to tick this checkbox so you can later upload your SBOM file.

  4. CycloneDX / SPDX - Specify the imported SBOM report’s file standard.

  5. Select or drag file here - You can browse your file system for the SBOM report file or drag-and-drop it.

  6. OK - Click the OK button to start the upload.

image-20240702-112215.png

Note that when the import completes, a new project will be created. You will be able to manage it like any other project in the Mend Platform.

Note: Projects created from an SBOM import will carry a tag, to differentiate them from other projects, as follows:

  • Key: SBOMImport; Value: true

Limitations

  1. Source libraries in SBOM Export files generated by Mend.io are ignored.

  2. No vulnerability/VEX data in the SBOM file gets imported. Vulnerability information in the newly created/updated project is based on the Mend.io database.

  3. No licensing data in the SBOM file gets imported. Licensing information in the newly created/updated project is based on the Mend.io database.

  4. Keywords support limitations:

    • For SPDX, Mend.io supports the properties below:

      CODE 
      "DEPENDS_ON", 
"DYNAMIC_LINK", 
"STATIC_LINK", 
"CONTAINS", 
"DESCRIBE"

    • For CycloneDX, Mend.io supports the “dependsOn” property.
      Example:

      CODE 
      "ref": "pkg:maven/com.google.apis/google-api-services-ml@v1-rev20210212-1.31.0?type=jar", 
"dependsOn": [ "pkg:maven/com.google.api-client/google-api-client@1.31.1?type=jar" ]
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close