SBOM Analysis and Vulnerability Reporting
You can create SBOM projects, upload your SBOM files and view vulnerabilities affecting any component or dependency included in the SBOM.
This feature is available to enterprise plan customers only.
SBOM Vulnerability Analysis
Since SBOM files typically contain hundreds of components and dependencies, analysis will be performed in a separate background process. Analysis can be performed on demand or periodically, every day, every 7 days or 30 days.
On demand analysis can be requested only once per day per project. Analysis may take several minutes or longer depending on the number of components and dependencies included in the project. Users can be notified by email when analysis is completed.
Analysis results will include CVEs and other items such as Github advisories for issues without a CVE. When both a CVE and another type of data, e.g a Github advisory, is available for an issue, only the CVE will be included in results.
Supported SBOM formats and features
- Json and XML files in Cyclonedx format are supported at the moment. Support for SPDX format will be added in the future.
- Purl and CPE identifiers are supported. SWID identifiers are not supported at the moment.
- When an item contains both a purl and a CPE identifier, the purl value will be used and the CPE will be ignored as purl values are more consistent.
Planned features
- PDF reports
- Comparisons between analysis runs, e.g new dependencies introduced between two analysis
- Dependency graphs