SBOM Report
The SBOM (Software Bill of Materials) report provides the following for the selected bucket: supplier information, the SBOM author, the timestamp of when the SBOM was generated, and the set of SBOM parts and their details. The details for each SBOM part include its associated component and versions, associated licenses, package URL (PURL), associated files (if available), and its relationship (if defined) with another SBOM part in the bucket.
The report is available in both machine-readable formats (CycloneDX and SPDX) and human-readable formats (Excel and HTML).
| • | SBOM Report in CycloneDX Format |
| • | SBOM Report in SPDX Format |
| • | SBOM Report in Excel and HTML Formats |
SBOM Report in CycloneDX Format
The following is an excerpt from an example SBOM report in CycloneDX format (.xml).
The SBOM - CycloneDX report option also automatically generates VDR and VEX versions of the report in XML (.xml) format.
The CycloneDX VDR (Vulnerability Disclosure Report) provides details for all security vulnerabilities (including vulnerability exclusions) associated with SBOM parts in the bucket. The report is organized by vulnerability and, for a given vulnerability, identifies the parts with which vulnerability is associated (along with providing other details). The following shows an excerpt from an example VDR.
The CycloneDX VEX Report provides additional details about each vulnerability exclusion.
The CycloneDX VEX (Vulnerability Exploitability eXchange) report provides details for vulnerability exclusions—that is, those vulnerabilities that are associated SBOM parts but, after your analysis, do not pose a security threat to your application code. Each exclusion listed in the report identifies the SBOM part with which the vulnerability is associated and includes an analysis section describing why vulnerability is not an exploit risk based on the context in which the part is used in the code.
The following is an excerpt from an example VEX report. The analysis section is highlighted in red.
The following is an excerpt from an example SBOM report in SPDX format (.spdx).
SBOM Report in Excel and HTML Formats
The following provide examples of the SBOM report in Excel and HTML formats. In either format, the component name and the licenses for a given component are hyperlinked to external sources for more information.
In Excel Format
The following is an excerpt from an example SBOM report in Excel format (.xlsx).
In HTML Format
The following is an excerpt from an example SBOM report in HTML format (.html).
