This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Manage SBOMs

Learn more about software transparency and the role of SBOMs in your organization.

1: Export SBOMs and VEX

2: Import SBOMs

A complete and accurate inventory of all first-party and third-party components is essential for risk identification. A Software Bill of Materials (SBOM) is a document that provides transparency into the software components of an application.

SBOMs should ideally contain all direct and transitive components and the dependency relationships between them. They should also contain metadata associated with each of these components.

For software producers

Software producers, those who create and sell software, need to be able to provide software transparency through an SBOM to their customers on request to reduce sales cycles, establish trust and sometimes as a regulatory or business requirement.

A Vulnerability Exploitability eXchange (VEX) document conveys the potential risks associated with components that have known vulnerabilities within the specific context of the product.

Software producers may need to, upon request, provide justification for known vulnerabilities and how they impact an application they sell.

Learn how to export SBOMs and VEX documents for the software you test with Endor Labs.

For software consumers

Software consumers, or those who use software, need to understand their software inventory holistically. This includes both the software that they create and the software that they purchase.

Learn how to manage third-party risks with Endor Labs.

1 - Export SBOMs and VEX

Learn more about software transparency and the role of SBOMs in your organization.

To export an SBOM you must first perform a successful endorctl scan. If you haven’t successfully scanned a project see quick start for more information.

Endor Labs supports export in the CycloneDX format and the VEX format.

Export an SBOM through the Endor Labs user interface

To export an SBOM for a package version in the Endor Labs user interface:

Navigate to My Packages and search for the package name in the Search filter.
Select the version to create an SBOM
Click Export SBOM in the top right-hand corner.
Select the container format.
Select the output format and type of SBOM you would like to generate and click Export SBOM. A file containing the SBOM will download from your browser.
Click Export VEX to generate a Vulnerability Exchange (VEX) file for the package version.

Export SBOM through endorctl

You can export SBOM of a specific or multiple package versions with endorctl.

You can use the following options with the SBOM export command.

Flag	Environment Variable	Description
`component-type`	`ENDOR_SBOM_COMPONENT_TYPE`	Set the SBOM component type (`application`, or `library`). (default `application`)
`output-format`	`ENDOR_SBOM_OUTPUT_FORMAT`	Set the SBOM format (`json`, or `xml`) (default `json`).
`package-version-name`	`ENDOR_SBOM_PACKAGE_VERSION_NAME`	Name of the package version for which you want to generate an SBOM.
`package-version-uuid`	`ENDOR_SBOM_PACKAGE_VERSION_UUID`	The UUID of the package version for which you want to generate an SBOM.
`timeout`	`ENDOR_SBOM_TIMEOUT`	Set the timeout for the SBOM generation (default `30s`).
`with-vex`	`ENDOR_SBOM_WITH_VEX`	Generate the corresponding VEX document along with the SBOM.
`project-uuid`	`ENDOR_SBOM_PROJECT_UUID`	The UUID of the project for which you want to generate an SBOM.
`project-name`	`ENDOR_SBOM_PROJECT_NAME`	Name of the project for which you want to generate an SBOM.
`app-name`	`ENDOR_SBOM_APP_NAME`	Name of the application/library. Required for multi-package SBOM export.
`package-version-uuids`	`ENDOR_SBOM_PACKAGE_VERSION_UUIDS`	The list of package version UUIDs to export an SBOM.

To export an SBOM you will need the package version name for which you’d like to create an SBOM or its UUID. You can also export an SBOM with multiple package versions. To export an SBOM with multiple package versions, you need the package version UUIDs or the project name.

Pass the package name or UUID to the command endorctl sbom export using the --package-version-name or --uuid flags.

To export an SBOM, you must first retrieve the package version name through the API.

You can easily export a reference package name and the scanned version you’d like to export as environment variables.

export PACKAGE_NAME=<insert_package_name>
export VERSION=<insert_package_version>

Then query the API for the package version name and set this as an environment variable:

export PACKAGE_VERSION_NAME=$(endorctl api list -r PackageVersion --filter "meta.name matches $PACKAGE_NAME AND meta.name matches $VERSION" --field-mask=meta.name | jq -r ".list.objects[].meta.name")

Use this name to export an SBOM using endorctl.

endorctl sbom export --package-version-name=$PACKAGE_VERSION_NAME >> cyclonedx.json

To export multiple package versions in an SBOM, you need the UUIDs of package versions, or the name or UUID of the project to which the package versions belong.

To create an SBOM based on project details, either provide the project UUID with the --project-uuid flag or the project name with the --project-name flag. You also need to provide a name for the package with the --app-name flag.

Run the following command to create an SBOM with multiple package versions with the project UUID.

endorctl sbom export -n test --project-uuid=<Project UUID> --app-name=<Application Name> >> <SBOM Name>.json

For example:

endorctl sbom export -n test --project-uuid=66e345c340669666c22979d6 --app-name=actions-hu/app-java-demo >> cycloneDx-sbom.json

Run the following command to create an SBOM with multiple package versions with the project name.

endorctl sbom export -n test --project-name=<Project Name> --app-name=<Application Name> >> <SBOM Name>.json

For example:

endorctl sbom export -n test --project-name=actions-hu/app-java-demo --app-name=actions-hu/app-java-demo >> cycloneDx-sbom.json

To generate an SBOM based on package version UUIDs, provide the package version UUIDs with the --package-version-uuids flag. You also need to provide a name for the package with the --app-name flag.

endorctl sbom export -n test --package-version-uuids=<Package Version UUID 1>,<Package Version UUID 2>,... <Package Version UUID N> --app-name=<Application Name> >> <SBOM Name>.json

For example:

endorctl sbom export -n test --package-version-uuids=66e345c340669666c22979d6,89f456c340669666c229854a,43a56b1340669666c289d4a2 --app-name=actions-hu/app-java-demo >> cycloneDx-sbom.json

To export the SBOM as a library rather than an application use the flag --component-type=library:

endorctl sbom export --component-type=library --package-version-name=$PACKAGE_VERSION_NAME >> cyclonedx.json

To export the SBOM in XML format rather than json use the --output-format flag with the XML parameter:

endorctl sbom export --output-format=xml --package-version-name=$PACKAGE_VERSION_NAME >> cyclonedx.xml

To export a VEX document use the flag --with-vex

endorctl sbom export --with-vex

Endor Labs Export Formats

Endor Labs provides the following fields to map to the NTIA minimum elements of an SBOM standard.

CycloneDX Format

Endor Labs supports export in the CycloneDX format.

The following table lists the mandatory and some optional fields in the SBOM file that Endor Labs exports.

Field	Description
`bomFormat`	Specifies the format of the SBOM. Required.
`specVersion`	The version of the specification used (for example, “1.4”). Required.
`serialNumber`	A unique identifier for the SBOM document. Optional.
`version`	The revision number of the SBOM. Required.
`metadata`	Contains metadata about the SBOM and primary component. Optional.
`metadata.timestamp`	The date and time when the SBOM was generated. Optional.
`metadata.component`	Information about the main component described by the SBOM. Optional.
`metadata.component.bom-ref`	A reference identifier for the component within the BOM. Optional.
`metadata.component.type`	The type of the main component (for example, “application” or “library”). Optional.
`metadata.component.name`	The name of the main component. Optional.
`metadata.component.version`	The version of the main component. Optional.
`metadata.component.hashes`	Cryptographic hashes of the main component. Optional.
`metadata.component.purl`	The Package URL (purl) for the main component. Optional.
`metadata.supplier`	Information about the supplier of the software. Optional.
`metadata.supplier.name`	The name of the supplier. Optional.
`metadata.supplier.url`	URLs associated with the supplier. Optional.
`metadata.supplier.contact`	Contact information for the supplier. Optional.
`metadata.licenses`	License information for the main component. Optional.
`components`	List of software components included in the SBOM. Required.
`components[].bom-ref`	A reference identifier for each component within the BOM. Optional.
`components[].type`	The type of each component (for example, “library”). Required.
`components[].name`	The name of each component. Required.
`components[].version`	The version of each component. Optional.
`components[].licenses`	License information for each component. Optional.
`components[].licenses[].license.name`	The name of the license. Optional.
`components[].purl`	The Package URL (purl) for each component. Optional.
`components[].externalReferences`	External references for components. Optional.
`components[].externalReferences[].url`	The URL of the external reference. Optional.
`components[].externalReferences[].type`	The type of the external reference (for example, “`vcs`”). Optional.
`dependencies`	Describes the relationships between components. Optional.
`dependencies[].ref`	Reference to a component in the dependency relationship. Optional.
`dependencies[].dependsOn`	List of components that this component depends on. Optional.

VEX Format

The following table lists the mandatory and some optional fields in the VEX file that Endor Labs exports.

Field	Description
`bomFormat`	Specifies the format of the VEX document. Required.
`specVersion`	The version of the specification used. Required.
`serialNumber`	A unique identifier for the VEX document. Required.
`version`	The revision number of the VEX document. Required.
`metadata`	Contains metadata about the VEX document and primary component. Required.
`metadata.timestamp`	The date and time when the VEX document was generated. Required.
`metadata.tools`	Information about tools used to generate the VEX document. Required.
`metadata.tools.services`	List of services used in generating the VEX document. Required.
`metadata.tools.services[].provider`	Information about the provider of the service. Required.
`metadata.tools.services[].provider.name`	The name of the service provider. Required.
`metadata.tools.services[].provider.url`	URLs associated with the service provider. Required.
`metadata.tools.services[].name`	The name of the service. Required.
`metadata.tools.services[].version`	The version of the service. Required.
`metadata.tools.services[].description`	A description of the service. Required.
`metadata.component`	Information about the main component described by the VEX document. Required.
`metadata.component.bom-ref`	A reference identifier for the component within the VEX. Required.
`metadata.component.type`	The type of the main component. Required.
`metadata.component.name`	The name of the main component. Required.
`metadata.component.version`	The version of the main component. Required.
`metadata.component.hashes`	Cryptographic hashes of the main component. Required.
`metadata.component.purl`	The Package URL (purl) for the main component. Required.
`vulnerabilities`	List of vulnerabilities associated with the component. Required.
`vulnerabilities[].id`	The identifier of the vulnerability. Optional.
`vulnerabilities[].references`	References related to the vulnerability. Optional.
`vulnerabilities[].references[].source.url`	URL of the reference source. Optional.
`vulnerabilities[].ratings`	Severity ratings for the vulnerability. Optional.
`vulnerabilities[].ratings[].score`	Numerical score of the severity. Optional.
`vulnerabilities[].ratings[].severity`	Textual representation of the severity. Optional.
`vulnerabilities[].ratings[].method`	The method used for rating (for example, “CVSSv3”). Optional.
`vulnerabilities[].ratings[].vector`	The vector string for the rating. Optional.
`vulnerabilities[].cwes`	Common Weakness Enumeration (CWE) identifiers. Optional.
`vulnerabilities[].description`	A description of the vulnerability. Optional.
`vulnerabilities[].detail`	Detailed information about the vulnerability. Optional.
`vulnerabilities[].recommendation`	Recommended actions to address the vulnerability. Optional.
`vulnerabilities[].advisories`	List of advisories related to the vulnerability. Optional.
`vulnerabilities[].advisories[].url`	URL of the advisory. Optional.
`vulnerabilities[].published`	The date when the vulnerability was published. Optional.
`vulnerabilities[].updated`	The date when the vulnerability information was last updated. Optional.
`vulnerabilities[].credits`	Credits for individuals or organizations related to the vulnerability. Optional.
`vulnerabilities[].credits.individuals`	List of individuals credited. Optional.
`vulnerabilities[].analysis`	Analysis of the vulnerability’s impact on the component. Optional.
`vulnerabilities[].analysis.state`	The state of the analysis (for example, `not_affected`). Optional.
`vulnerabilities[].analysis.justification`	Justification for the analysis state. Optional.
`vulnerabilities[].affects`	Information about which components are affected by the vulnerability. Optional.
`vulnerabilities[].affects[].ref`	Reference to the affected component. Optional.

2 - Import SBOMs

Learn more about software transparency and the role of importing SBOMs in your organization.

Software consumers, or those who use software, need to understand their software inventory holistically. This includes both the software that they create and the software that they purchase. For the software that a software consumer procures, they can request an SBOM to get visibility into the software composition of what they deploy in their environment.

If an information security analyst on your team sends a mass email to all your vendors asking them to provide SBOMs, you are likely to get some combination of confused replies, refusals to hand over anything, and a few incredibly detailed json and XML files. An inbox full of attachments is not the correct way to manage information. Storing these SBOMs in platforms like Google Drive, Dropbox, or any other information repository without active utilization will yield minimal benefits.

Endor Labs’ SBOM hub ingests, parses, analyzes, and tracks your vendor’s SBOMs and offers a structured method to track and version control every SBOM.

SBOM Hub

SBOM Hub is a central location for software consumers to store, search, and monitor their SBOMs. If you are building out an SBOM program you should visit our blog on Key questions for your SBOM program to learn more about SBOM best practices and program management.

You can use Endor Labs finding policies to identify vulnerabilities, unmaintained open source software, license risk and outdated dependencies in the SBOMs provided to you by your third-party software vendors.

Import an SBOM to Endor Labs

Once you have an SBOM from one of your third-party vendors, you should import the SBOM into Endor Labs to monitor and manage it.

Import SBOMs through the Endor Labs UI

Import your project’s SBOM into the Endor Labs application to discover vulnerabilities and view findings. You can either upload the file from the user interface or through endorctl.

Click SBOM Hub on the left-hand side navigation menu.
Click Import SBOM in the top right-hand corner.
Choose Upload File and select the type of SBOM you would like to upload.
1. Use CycloneDX if your vendor has provided you with a CycloneDX format SBOM
2. Use SPDX if your vendor has provided you with a SPDX format SBOM
Click Browse to upload your SBOM from your workstation or drag the SBOM into the Endor Labs UI.

Once you have imported your SBOM to Endor Labs, Endor Labs will schedule a scan in the background for the SBOM within the next few hours. To instantly scan the SBOM see Importing SBOMs through the Endor Labs CLI

Tip

Endor Labs supports CycloneDX or SPDX format SBOMs in XML or json format.

Import SBOMs through the Endor Labs CLI

To import an SBOM to Endor Labs with automation or using the CLI use the following command:

endorctl sbom import --sbom-file-path=/path/to/your/sbom.json

endorctl sbom import --format=spdx --sbom-file-path=/path/to/your/sbom.json

See the sbom import command for endorctl for more information.

Manage SBOMs

Manage the SBOMs on the Endor Labs application.

Delete SBOM - Select one or more SBOMs, click the vertical ellipsis at the right side and click Delete SBOM.
Include Tags for an SBOM - Select one or more SBOMs and click Edit Tags on the top right-hand corner. Tags are labels or keywords that you can use to categorize SBOMs. They help classify and group related SBOMs, making it easier to search, filter, and manage the SBOMs. Tags can have a maximum of 63 characters and can contain letters A-Z, numbers (0-9), or any of (=@_.-) special characters.

Tagging strategies for SBOMs

To improve your team’s ability to search and manage SBOMs, you can tag them as they are received. Tagging SBOMs helps your team understand the applications, vendors, and their importance to your business.

Use Case	Rationale	Example Tags
Data Classification	Understand the kind of data a vendor or vendor application handles for you.	`Classification_Restricted`, `Classification_HighlySensitive`, `Classification_Public`
Vendor Name	Some SBOMs may lack vendor information. Be sure to label your SBOMs with vendor names for better vendor management.	`Vendor_RedHat`
Vendor Criticality	Tag your SBOMs according to your internal vendor tier strategy or if the vendor is considered critical. This will streamline regular SBOM reviews.	`Critical_Vendor`, `Tier1_Vendor`