Skip to main content
Skip table of contents

The Container Image SBOM Report

Overview

The Container Image SBOM Report, accessible via your Mend Platform’s main navigation, provides a clear view of the components within your container images. It identifies open-source dependencies and potential security vulnerabilities.

Use cases for each SBOM standard

The choice between CycloneDX and SPDX depends on your organization's specific needs:

  • CycloneDX: for a security-centric SBOM that helps in vulnerability management and supply chain security analysis.

  • SPDX: for a license-centric SBOM that provides comprehensive details necessary for IP compliance and legal auditing.

Getting it done

You can generate the report via the Reports page.

  1. Click the Reports button located in the top bar of the Mend Platform user interface:

    image-20240719-091017.png

  2. Click the Create button ( image-20240902-144937.png ) at the top-right edge of the Reports page.

    image-20240908-134803.png

  3. Select Container Image SBOM from the drop-down list of the Create Report wizard:

    image-20240919-132337.png

  4. Scope - Define the report's scope by specifying the application. You can refine the scope by selecting one or more projects within that application.

    image-20240919-132222.png

  5. Configuration - Specify the SBOM Standard and Format:
    a. CycloneDX 1.4/1.5: (JSON/XML).

    image-20240919-132005.png

    b. SPDX 2.2/2.3: (JSON/XML/YAML/TV).

    image-20240919-131908.png

  6. Click Create.

    image-20240919-131716.png

Understanding the Container Image SBOM Report

The Container Image SBOM Report provides a comprehensive inventory of the open-source libraries used in a project.

Example of the report in table format:

CODE 
| Author                | BOM Ref                                             | CPE                                                          | Licenses          | Name           | PURL                                                        | Type     | Version  |
|-----------------------|-----------------------------------------------------|--------------------------------------------------------------|-------------------|----------------|-------------------------------------------------------------|----------|----------|
| Django Software Found | pkg:pypi/django@3.2.18?package-id=f713ed25d6e67858  | cpe:2.3:a:django_software_foundation_project:python-Django:3 | MIT               | Django         | pkg:pypi/Django@3.2.18                                      | library  | 3.2.18   |
| Armin Ronacher <armin.| pkg:pypi/flask@2.2.3?package-id=529cda93d3318ab6    | cpe:2.3:a:palletsprojects:flask:2.2.3:*:*:*:*:*:*:*          | BSD-3-Clause      | Flask          | pkg:pypi/Flask@2.2.3                                        | library  | 2.2.3    |
| Leonard Richardson <le| pkg:pypi/beautifulsoup4@4.11.2?package-id=fe0cbabeb4| cpe:2.3:a:leonard_richardson_project:python-beautifulsoup4:4 | MIT               | beautifulsoup4 | pkg:pypi/beautifulsoup4@4.11.2                              | library  | 4.11.2   |

Example breakdown:

  • Author: The creator or maintainer of the library.

  • BOM Ref: A unique identifier for the Bill Of Materials (BOM) reference, detailing the library in the dependency tree.

  • License: Name of the license under which the library is distributed.

  • Name: The name of the library.

  • PURL: The Package URL that provides the information about the library’s origin and version.

  • Type: The type of component.

  • Version: The specific version of the library used.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close