The Container Image SBOM Report
Overview
The Container Image SBOM Report, accessible via your Mend Platform’s main navigation, provides a clear view of the components within your container images. It identifies open-source dependencies and potential security vulnerabilities.
Use cases for each SBOM standard
The choice between CycloneDX and SPDX depends on your organization's specific needs:
CycloneDX: for a security-centric SBOM that helps in vulnerability management and supply chain security analysis.
SPDX: for a license-centric SBOM that provides comprehensive details necessary for IP compliance and legal auditing.
Getting it done
You can generate the report via the Reports page:

Navigate to the Reports page
Create +Create to open the report creation wizard
In the report creation wizard:
Select “Container Image SBOM”
Specify the Application and Project(s)
Specify the desired SBOM Standard (SPDX 2.2 / SPDX 2.3 / CycloneDX 1.4 / CycloneDX 1.5).
Specify the desired file format
Click ‘Create’
When the report is ready, download it by selecting the ‘Download’ option from the Actions menu, as depicted below.
Download
At this stage, the report will be added to the list of reports in the main Reports page, allowing you to download it by clicking the More Options button (vertical ellipsis) at the right edge of the screen and then ‘Download’:

Understanding the Container Image SBOM Report
The Container Image SBOM Report provides a comprehensive inventory of the open-source libraries used in a project.
Example of the report in table format:
| Author | BOM Ref | CPE | Licenses | Name | PURL | Type | Version |
|-----------------------|-----------------------------------------------------|--------------------------------------------------------------|-------------------|----------------|-------------------------------------------------------------|----------|----------|
| Django Software Found | pkg:pypi/django@3.2.18?package-id=f713ed25d6e67858 | cpe:2.3:a:django_software_foundation_project:python-Django:3 | MIT | Django | pkg:pypi/Django@3.2.18 | library | 3.2.18 |
| Armin Ronacher <armin.| pkg:pypi/flask@2.2.3?package-id=529cda93d3318ab6 | cpe:2.3:a:palletsprojects:flask:2.2.3:*:*:*:*:*:*:* | BSD-3-Clause | Flask | pkg:pypi/Flask@2.2.3 | library | 2.2.3 |
| Leonard Richardson <le| pkg:pypi/beautifulsoup4@4.11.2?package-id=fe0cbabeb4| cpe:2.3:a:leonard_richardson_project:python-beautifulsoup4:4 | MIT | beautifulsoup4 | pkg:pypi/beautifulsoup4@4.11.2 | library | 4.11.2 |
Example breakdown:
Author: The creator or maintainer of the library.
BOM Ref: A unique identifier for the Bill Of Materials (BOM) reference, detailing the library in the dependency tree.
License: Name of the license under which the library is distributed.
Name: The name of the library.
PURL: The Package URL that provides the information about the library’s origin and version.
Type: The type of component.
Version: The specific version of the library used.