The Dependencies SBOM Report

Overview

The Mend Platform enables you to generate and export a Software Bill of Materials (SBOM) report, that specifies the libraries, code packages, and other third-party components that are used in your application.

Getting it done

Create a Dependencies SBOM report in the Mend Platform

From the Mend Platform menu bar, select Reports > Create > Dependencies SBOM Export.
This will lead you to the Dependencies SBOM report screen, where you are requested to specify the following details:
The application/project(s) for which to create an SBOM report.
The desired SBOM standard (SPDX 2.2 / SPDX 2.3 / CycloneDX 1.4 / CycloneDX 1.5).
The desired report’s file format. The “Include Vulnerabilities in this report” checkbox allows you to include/exclude vulnerabilities from the report.
Click the ‘Create’ button to generate the selected report.

The report is generated asynchronously and once it is ready, it will be available in the main Reports page.

Download

At this stage, the report will be added to the list of reports in the main Reports page, allowing you to download it by clicking the More Options button (vertical ellipsis) at the right edge of the screen and then ‘Download’:

Create a Project out of a Dependencies SBOM Report file

You can upload a previously downloaded Dependencies SBOM report to the Mend Platform, to create a new project.

Information on how to accomplish this can be found here.

Reference

Supported Standards and File Formats

Mend offers the following SBOM Standards in the supported formats:

SPDX 2.2 / SPDX 2.3:
- JSON
- XML
- YAML
- EXCEL
- TV
CycloneDX 1.4* / CycloneDX 1.5*:
- JSON
- XML

* The CycloneDX standard is embedded with Vulnerability Exploitability eXchange (VEX) data

Mend SBOM Reports Include PURL data

A purl (or package URL for short) is a format used to describe and identify software packages in a standardized way. It provides a uniform structure for specifying package metadata, making it easier to manage and reference software packages across different repositories, platforms, and tools. For example, purl data for the Maven package oro-2.0.8.jar will look like this in Mend's SBOM report:

CODE

    "externalRefs" : [ {
      "referenceCategory" : "PACKAGE-MANAGER",
      "referenceLocator" : "pkg:maven/oro/oro@2.0.8?type=jar",
      "referenceType" : "purl"
    } ]

VEX Data in the CycloneDX Dependencies SBOM report

Status Mapping

Finding Status	Additional Considerations / Comments	VEX Example
Open Finding	The code is reachable. If a fix is available, `update` will also be listed in the response	CODE `"analysis": { "state": "exploitable", "response": ["will_not_fix"] }`
Open Finding	A Jira issue was created for this finding	CODE `"analysis": { "state": "in_triage" }`
Open Finding Suppressed Finding + “Unreachable” status Suppressed Finding + “Acceptable risk” status	The code is unreachable	CODE `"analysis": { "state": "not_affected", "justification": "code_not_reachable", "response": ["will_not_fix"], "details": <Supression Comment> }`
Suppressed Finding + “Not Affected” status	The code is reachable or no reachability information is available	CODE `"analysis": { "state": "not_affected", "justification": "protected_by_mitigating_control", "details": <Supression Comment> }`
Suppressed Finding + “Acceptable risk” status or “No time to fix” or “Other”.	If fix is available add `update` to the response	CODE `"analysis": { "state": "exploitable", "response": ["will_not_fix"], "details": <Supression Comment> }`
Suppressed Finding + “No available fix” status		CODE `"analysis": { "state": "exploitable", "response": ["will_not_fix","can_not_fix"], "details": <Supression Comment> }`