The Container Image SBOM Report

Overview

The Container Image SBOM Report, accessible via your Mend Platform’s main navigation, provides a clear view of the components within your container images. It identifies open-source dependencies and potential security vulnerabilities.

Use cases for each SBOM standard

The choice between CycloneDX and SPDX depends on your organization's specific needs:

• CycloneDX: for a security-centric SBOM that helps in vulnerability management and supply chain security analysis.

• SPDX: for a license-centric SBOM that provides comprehensive details necessary for IP compliance and legal auditing.

Getting it done

You can generate the report via the Reports page:

1. Navigate to the Reports page

2. Create +Create to open the report creation wizard

   

In the report creation wizard:

1. Select “Container Image SBOM”

2. Specify the Application and Project(s)

   

3. Specify the desired SBOM Standard (SPDX 2.2 / SPDX 2.3 / CycloneDX 1.4 / CycloneDX 1.5).

   

4. Specify the desired file format

5. Click ‘Create’

   

When the report is ready, download it by selecting the ‘Download’ option from the Actions menu, as depicted below.

Download

At this stage, the report will be added to the list of reports in the main Reports page, allowing you to download it by clicking the More Options button (vertical ellipsis) at the right edge of the screen and then ‘Download’:

Understanding the Container Image SBOM Report

The Container Image SBOM Report provides a comprehensive inventory of the open-source libraries used in a project.

Example of the report in table format:

| Author                | BOM Ref                                             | CPE                                                          | Licenses          | Name           | PURL                                                        | Type     | Version  |
|-----------------------|-----------------------------------------------------|--------------------------------------------------------------|-------------------|----------------|-------------------------------------------------------------|----------|----------|
| Django Software Found | pkg:pypi/django@3.2.18?package-id=f713ed25d6e67858  | cpe:2.3:a:django_software_foundation_project:python-Django:3 | MIT               | Django         | pkg:pypi/Django@3.2.18                                      | library  | 3.2.18   |
| Armin Ronacher <armin.| pkg:pypi/flask@2.2.3?package-id=529cda93d3318ab6    | cpe:2.3:a:palletsprojects:flask:2.2.3:*:*:*:*:*:*:*          | BSD-3-Clause      | Flask          | pkg:pypi/Flask@2.2.3                                        | library  | 2.2.3    |
| Leonard Richardson <le| pkg:pypi/beautifulsoup4@4.11.2?package-id=fe0cbabeb4| cpe:2.3:a:leonard_richardson_project:python-beautifulsoup4:4 | MIT               | beautifulsoup4 | pkg:pypi/beautifulsoup4@4.11.2                              | library  | 4.11.2   |

Example breakdown:

• Author: The creator or maintainer of the library.

• BOM Ref: A unique identifier for the Bill Of Materials (BOM) reference, detailing the library in the dependency tree.

• License: Name of the license under which the library is distributed.

• Name: The name of the library.

• PURL: The Package URL that provides the information about the library’s origin and version.

• Type: The type of component.

• Version: The specific version of the library used.