Skip to main content
Skip table of contents

Update a Project using an SBOM Import

Overview

Mend.io enables you to import an SBOM file, to update the inventory of an existing project in the Mend.io AppSec Platform.

An SBOM report traditionally specifies the libraries, code packages, and other third-party components that are used in your project.

Once imported, licensing and vulnerability data will be associated with your project’s dependencies, like any other project scanned into the application. Projects created via SBOM imports will be regularly monitored for new vulnerabilities and updates, like any other project in the Mend Platform.

Prerequisites

Mend.io allows you to import SBOM files exported by the following tools:

The supported SBOM standards are CycloneDX (versions 1.4, 1.5) and SPDX (versions 2.2, 2.3).

The supported formats are JSON and XML.

Getting it done

Upload an SBOM File to Update your Project via the Mend Platform UI

To import an SBOM report, you will need to upload an SBOM file to the Mend Platform. Here’s how to do it:

  1. Navigate to the Administration page using the cogwheel button at the upper-right corner of the UI:

    image-20240929-151427.png

  2. In the Administration page, select Projects and then click the Actions button (image-20240929-151013.png) of the desired project:

image-20240929-150322.png
  1. Select Update Dependencies:

    image-20240929-151701.png

  2. User Drag and Drop or browse your file system for the desired SBOM file and click OK to upload it.

    image-20240929-152221.png

Limitations

  1. Source libraries in SBOM Export files generated by Mend.io are ignored.

  2. No vulnerability/VEX data in the SBOM file gets imported. Vulnerability information in the newly created/updated project is based on the Mend.io database.

  3. No licensing data in the SBOM file gets imported. Licensing information in the newly created/updated project is based on the Mend.io database.

  4. Keywords support limitations:

    • For SPDX, Mend.io supports the properties below:

      CODE
      "DEPENDS_ON", 
      "DYNAMIC_LINK", 
      "STATIC_LINK", 
      "CONTAINS", 
      "DESCRIBE"
    • For CycloneDX, Mend.io supports the “dependsOn” property.
      Example:

      CODE
      "ref": "pkg:maven/com.google.apis/google-api-services-ml@v1-rev20210212-1.31.0?type=jar", 
      "dependsOn": [ "pkg:maven/com.google.api-client/google-api-client@1.31.1?type=jar" ]
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.