SBOM Insights Quick Start
This section provides instructions that walk you through the basic process of constructing an SBOM that represents the open-source, third-party, and commercial software used in the products that you deliver or host (as a software producer) or that you use or deploy (as a software buyer).
• | Before Starting |
• | Step 1: Create a Bucket |
• | Step 2: Add SBOM Parts to the Bucket |
• | Step 3: View Your SBOM |
• | Step 4: Export Your SBOM to a Comma-Separated Format |
To prepare for the walk-through, start with the following tasks.
Log in to SBOM Insights
When logging in for the first time as a customer or as an evaluation user, follow the instructions that Revenera provides to you through email. If you have already received the email invitation to SBOM Insights, use the procedure in Accepting Invitations to SBOM Insights to accept the invite and to log in.
If you are not a first-time user, use your current credentials to log in to SBOM Insights.
Obtain Your Source SBOM Data File(s)
The second step in this walk-through focuses on importing existing SBOM data as a method for adding parts to the SBOM you are constructing. Although SBOM Insights lets you add parts to your SBOM through disclosures, the most common method for getting started is to import existing SBOM data files in industry-standard formats. To perform this import, you need a file that contains existing SBOM data from another source. The supported formats for an import are SPDX V2.2 (.spdx), CycloneDX v1.4 (.json or .xml), or a Revenera Code Insight project export data file (.json).
The first step in creating an SBOM is to define a bucket. A bucket is a “bag of parts”, where the “bag” represents an entity composed of or containing software. For example, the entity can represent an application, a device containing software, a sub-module of an application, a large OSS component (such as Linux), or a suite of applications. The “parts” represent the open-source, third-party, and commercial software components used by the entity. A bucket in SBOM Insights is similar to a project in Revenera Code Insight.
A bucket can be nested under another bucket to form a hierarchy. For example, if the bucket you are creating represents a sub-module of an application, you can select the application’s bucket as the parent of the sub-module bucket. This hierarchy establishes relationships between buckets, enabling you to create and manage an SBOM for a software entity and all its sub-entities. Although this walk-through does not set up a hierarchy, you can find more information in Managing Buckets.
To create a bucket:
1. | Click Create Bucket in the left navigation panel to open the Create Bucket page. |
2. | From the Type dropdown list, select the entity or context in which the collection of open-source, third-party, or commercial software components is used. In other words, select the entity for which you are creating an SBOM. |
For example, select Application if you are creating an SBOM for a software application. Or select Container if you are creating an SBOM for files in a software container such as a Docker container. For a detailed description of the various bucket types, see Managing Buckets.
3. | In the Name field, provide a name for the bucket that is unique within the SBOM Insights Organization to which you belong. |
4. | (Optional) Enter Description content for the bucket. |
5. | Save the bucket. |
Watch a Demo
For a demonstration of how to create a bucket, watch the following video.
Step 2: Add SBOM Parts to the Bucket
The second step in creating an SBOM is to add parts to the bucket. These “parts” represent the open-source, third-party, and commercial components used by the software entity represented by the bucket. (An SBOM part in SBOM Insights is similar to an inventory item in a Revenera Code Insight project.) You can add the parts to the bucket using two methods:
• | Importing SBOM Parts from SBOM Data Sources |
• | Manually Creating SBOM Parts |
A bucket can contain any combination of parts imported from one or more sources, as well as parts that are manually created in SBOM Insights.
Importing SBOM Parts from SBOM Data Sources
A common and easy way to add SBOM parts to a bucket is to import an SBOM data file. You can import SBOM parts from the following sources:
• | Any SBOM data file in SPDX v2.2 (.spdx) or CycloneDX v1.4 (.json or .xml) format |
• | A Revenera Code Insight project export data file (.json) |
This walk-through focuses on importing SBOM parts from one source. However, you can perform imports from multiple sources for your SBOM using the same set of instructions.
To import an existing SBOM:
1. | Click Import SBOM in the left navigation panel to open the Import SBOM page. |
2. | From the Bucket dropdown list, select the bucket to which you are importing SBOM data. |
3. | Select the SBOM data file whose contents you are importing. Use one of these methods: |
• | Browse to the location of the existing SBOM data file, and drag and drop it into indicated box on the Import SBOM page. |
• | Click within the indicated box to browse to and select the file you want. |
4. | Click Import. |
5. | (Optional) Navigate to Jobs page to view the status of the import. |
Watch a Demo
For a demonstration of how to import SBOM parts into a bucket, watch the following video.
You can click the Create SBOM Part button on the Manage SBOM Parts page to manually create a part to add to a bucket. For example, you can create a part representing a component version not found in the SBOM you imported or a part (such as a code fragment or an image file) not typically identified as a component.
This walk-through does not explain how to create a part manually, but you can refer to Creating SBOM Parts Manually for more information.
After adding SBOM parts to the bucket, you can view the bucket and its contents (or view any combination of buckets across your Organization) on the Manage SBOM Parts page. On this page, you can also access the functionality to edit an SBOM part (including changing the component associated with it). This walk-through does not explain the editing process, but you can refer to Editing a Bucket for more information.
To view the current SBOM:
1. | Click Manage SBOM Parts in the left navigation panel to open the Manage SBOM Parts page. The SBOM of parts across all buckets is displayed in a list grid. |
2. | (Optional) From the Bucket dropdown list, select the bucket you just created (or any combination of buckets) to filter to only parts for the selected bucket(s). |
For information on additional ways to manage the SBOM buckets and parts list, see Managing Lists in SBOM Insights.
3. | Click within the row of a given SBOM part to open a slideout panel that shows additional information about the part. |
4. | (Optional) Click the interactive elements in the row for an SBOM part (hyperlinked elements, information icons, and the security vulnerabilities bar graph) to explore additional information about the SBOM part. |
5. | Click Refresh on the Manage SBOM Parts page to refresh the SBOM list with the latest data. |
Watch a Demo
For a demonstration of how to view your SBOMs, watch the following video.
Step 4: Export Your SBOM to a Comma-Separated Format
You can export the SBOM parts on the Manage SBOM Parts page into a comma-separated value file (.csv) that can be opened in Excel or any text editor. This process exports only the SBOM data on the current page.
To export the SBOM to a .csv file:
1. | Click Manage SBOM Parts in the left navigation panel to open the Manage SBOM Parts page. The SBOM of parts across all buckets is displayed in a list grid. |
2. | (Optional) If you want to export parts belonging to the bucket you just created and/or one or more other buckets, select those buckets using the Bucket dropdown list. |
3. | Navigate to the page in the list showing the SBOM parts you want to export. |
4. | Click in the upper-right corner of the page. |
The SBOM is exported to a file called export.csv and is downloaded to your browser’s default download location. You can then open the file in Excel or a text editor of your choice.