SBOM Report for Container Images
Note: This feature is supported from Mend CLI version 24.5.3 (released on June 2024).
Overview
As a security and/or compliance officer, you may want to generate an SBOM report for your container images directly from the Mend Platform, to quickly assess the components and their associated metadata within each container in the project/application.
Supported Versions and File Types
Standard | Supported Versions | File Types |
|---|---|---|
SPDX |
|
|
CycloneDX |
|
|
Getting it done
Generate your Container Image SBOM from the Mend CLI
The --format CLI flag
Use the --format flag to specify the desired SBOM standard and file type:
mend image <Image:Tag> --format <sbomType-filetype>SBOM format options:
Value <sbomType-filetype> | Output File format |
|---|---|
| json |
| tv |
| xml |
| xml |
| json |
Export the results to a file using the --filename flag, in addition to the --format flag
Simple BOM output in the Mend CLI
Get a flat BOM view directly from the Mend CLI, by using the --show=bom option:
mend image <image> --show=bomOutput:
Name: Package Name
Version: Package version
Type: Package type (for OS packages - the package manager type)
Example image:
Generate your Container Image SBOM from the Mend Platform UI
Navigate to the Reports page
Create +Create to open the report creation wizard
In the report creation wizard:
Select “Container Image SBOM”
Specify the Application and Project(s)
Specify the desired SBOM Standard (SPDX 2.2 / SPDX 2.3 / CycloneDX 1.4 / CycloneDX 1.5).
Specify the desired file format
Click ‘Create’
When the report is ready, download it by selecting the ‘Download’ option from the Actions menu, as depicted below.
Download
At this stage, the report will be added to the list of reports in the main Reports page, allowing you to download it by clicking the More Options button (vertical ellipsis) at the right edge of the screen and then ‘Download’:
