This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Manage SBOMs

Learn more about software transparency and the role of SBOMs in your organization.

A complete and accurate inventory of all first-party and third-party components is essential for risk identification. A Software Bill of Materials (SBOM) is a document that provides transparency into the software components of an application.

SBOMs should ideally contain all direct and transitive components and the dependency relationships between them. They should also contain metadata associated with each of these components.

For software producers

Software producers, those who create and sell software, need to be able to provide software transparency through an SBOM to their customers on request to reduce sales cycles, establish trust and sometimes as a regulatory or business requirement.

A Vulnerability Exploitability eXchange (VEX) document conveys the potential risks associated with components that have known vulnerabilities within the specific context of the product.

Software producers may need to, upon request, provide justification for known vulnerabilities and how they impact an application they sell.

Learn how to export SBOMs and VEX documents for the software you test with Endor Labs.

For software consumers

Software consumers, or those who use software, need to understand their software inventory holistically. This includes both the software that they create and the software that they purchase.

Learn how to manage third-party risks with Endor Labs.

1 - Export SBOMs and VEX

Learn more about software transparency and the role of SBOMs in your organization.

To export an SBOM you must first perform a successful endorctl scan. If you haven’t successfully scanned a project see quick start for more information.

Endor Labs supports export in the CycloneDX format and the VEX format.

Export an SBOM through the Endor Labs user interface

When you export an SBOM at the project level, it includes all the packages in the project and all the package versions. This allows you to combine the SBOMs of multiple packages and versions into a single SBOM. A consolidated SBOM for the project enables quick identification and assessment of vulnerabilities across all software components.

  1. Navigate to Projects.

  2. Select the project for which to create an SBOM.

  3. Click Export SBOM in the top right-hand corner.

    Select packages

  4. Select the container format.

    Currently, you can export in the CycloneDX format.

  5. Choose whether to export as an application or a library.

    If you choose to export as an application, enter an application name.

  6. Select the output format and type of SBOM you would like to generate.

  7. Click Add More to select the packages and package versions you want to include in the SBOM.

    If you do not select specific packages, the SBOM will include information for all packages and package versions.

    Select packages

    You can filter by ecosystem to select the type of packages to include in the SBOM.

    Select packages

    You can also search and select multiple package versions of the same package.

    Select packages

  8. Click Export SBOM.

    A file containing the SBOM will download from your browser.

  9. Click Export VEX to generate a Vulnerability Exchange (VEX) file for the package version.

Export SBOM through endorctl

You can export SBOM of a specific or multiple package versions with endorctl.

You can use the following options with the SBOM export command.

Flag Environment Variable Description
component-type ENDOR_SBOM_COMPONENT_TYPE Set the SBOM component type (application, or library). (default application)
output-format ENDOR_SBOM_OUTPUT_FORMAT Set the SBOM format (json, or xml) (default json).
package-version-name ENDOR_SBOM_PACKAGE_VERSION_NAME Name of the package version for which you want to generate an SBOM.
package-version-uuid ENDOR_SBOM_PACKAGE_VERSION_UUID The UUID of the package version for which you want to generate an SBOM.
timeout ENDOR_SBOM_TIMEOUT Set the timeout for the SBOM generation (default 30s).
with-vex ENDOR_SBOM_WITH_VEX Generate the corresponding VEX document along with the SBOM.
project-uuid ENDOR_SBOM_PROJECT_UUID The UUID of the project for which you want to generate an SBOM.
project-name ENDOR_SBOM_PROJECT_NAME Name of the project for which you want to generate an SBOM.
app-name ENDOR_SBOM_APP_NAME Name of the application/library. Required for multi-package SBOM export.
package-version-uuids ENDOR_SBOM_PACKAGE_VERSION_UUIDS The list of package version UUIDs to export an SBOM.

To export an SBOM you will need the package version name for which you’d like to create an SBOM or its UUID. You can also export an SBOM with multiple package versions. To export an SBOM with multiple package versions, you need the package version UUIDs or the project name.

Pass the package name or UUID to the command endorctl sbom export using the --package-version-name or --uuid flags.

To export an SBOM, you must first retrieve the package version name through the API.

You can easily export a reference package name and the scanned version you’d like to export as environment variables.

export PACKAGE_NAME=<insert_package_name>
export VERSION=<insert_package_version>

Then query the API for the package version name and set this as an environment variable:

export PACKAGE_VERSION_NAME=$(endorctl api list -r PackageVersion --filter "meta.name matches $PACKAGE_NAME AND meta.name matches $VERSION" --field-mask=meta.name | jq -r ".list.objects[].meta.name")

Use this name to export an SBOM using endorctl.

endorctl sbom export --package-version-name=$PACKAGE_VERSION_NAME >> cyclonedx.json

To export multiple package versions in an SBOM, you need the UUIDs of package versions, or the name or UUID of the project to which the package versions belong.

To create an SBOM based on project details, either provide the project UUID with the --project-uuid flag or the project name with the --project-name flag. You also need to provide a name for the package with the --app-name flag.

Run the following command to create an SBOM with multiple package versions with the project UUID.

endorctl sbom export -n test --project-uuid=<Project UUID> --app-name=<Application Name> >> <SBOM Name>.json

For example:

endorctl sbom export -n test --project-uuid=66e345c340669666c22979d6 --app-name=actions-hu/app-java-demo >> cycloneDx-sbom.json

Run the following command to create an SBOM with multiple package versions with the project name.

endorctl sbom export -n test --project-name=<Project Name> --app-name=<Application Name> >> <SBOM Name>.json

For example:

endorctl sbom export -n test --project-name=actions-hu/app-java-demo --app-name=actions-hu/app-java-demo >> cycloneDx-sbom.json

To generate an SBOM based on package version UUIDs, provide the package version UUIDs with the --package-version-uuids flag. You also need to provide a name for the package with the --app-name flag.

endorctl sbom export -n test --package-version-uuids=<Package Version UUID 1>,<Package Version UUID 2>,... <Package Version UUID N> --app-name=<Application Name> >> <SBOM Name>.json

For example:

endorctl sbom export -n test --package-version-uuids=66e345c340669666c22979d6,89f456c340669666c229854a,43a56b1340669666c289d4a2 --app-name=actions-hu/app-java-demo >> cycloneDx-sbom.json

To export the SBOM as a library rather than an application use the flag --component-type=library:

endorctl sbom export --component-type=library --package-version-name=$PACKAGE_VERSION_NAME >> cyclonedx.json

To export the SBOM in XML format rather than json use the --output-format flag with the XML parameter:

endorctl sbom export --output-format=xml --package-version-name=$PACKAGE_VERSION_NAME >> cyclonedx.xml

To export a VEX document use the flag --with-vex

endorctl sbom export --with-vex

Endor Labs Export Formats

Endor Labs provides the following fields to map to the NTIA minimum elements of an SBOM standard.

CycloneDX Format

Endor Labs supports export in the CycloneDX format.

The following table lists the mandatory and some optional fields in the SBOM file that Endor Labs exports.

Field Description
bomFormat Specifies the format of the SBOM. Required.
specVersion The version of the specification used (for example, “1.4”). Required.
serialNumber A unique identifier for the SBOM document. Optional.
version The revision number of the SBOM. Required.
metadata Contains metadata about the SBOM and primary component. Optional.
metadata.timestamp The date and time when the SBOM was generated. Optional.
metadata.component Information about the main component described by the SBOM. Optional.
metadata.component.bom-ref A reference identifier for the component within the BOM. Optional.
metadata.component.type The type of the main component (for example, “application” or “library”). Optional.
metadata.component.name The name of the main component. Optional.
metadata.component.version The version of the main component. Optional.
metadata.component.hashes Cryptographic hashes of the main component. Optional.
metadata.component.purl The Package URL (purl) for the main component. Optional.
metadata.supplier Information about the supplier of the software. Optional.
metadata.supplier.name The name of the supplier. Optional.
metadata.supplier.url URLs associated with the supplier. Optional.
metadata.supplier.contact Contact information for the supplier. Optional.
metadata.licenses License information for the main component. Optional.
components List of software components included in the SBOM. Required.
components[].bom-ref A reference identifier for each component within the BOM. Optional.
components[].type The type of each component (for example, “library”). Required.
components[].name The name of each component. Required.
components[].version The version of each component. Optional.
components[].licenses License information for each component. Optional.
components[].licenses[].license.name The name of the license. Optional.
components[].purl The Package URL (purl) for each component. Optional.
components[].externalReferences External references for components. Optional.
components[].externalReferences[].url The URL of the external reference. Optional.
components[].externalReferences[].type The type of the external reference (for example, “vcs”). Optional.
dependencies Describes the relationships between components. Optional.
dependencies[].ref Reference to a component in the dependency relationship. Optional.
dependencies[].dependsOn List of components that this component depends on. Optional.

VEX Format

The following table lists the mandatory and some optional fields in the VEX file that Endor Labs exports.

Field Description
bomFormat Specifies the format of the VEX document. Required.
specVersion The version of the specification used. Required.
serialNumber A unique identifier for the VEX document. Required.
version The revision number of the VEX document. Required.
metadata Contains metadata about the VEX document and primary component. Required.
metadata.timestamp The date and time when the VEX document was generated. Required.
metadata.tools Information about tools used to generate the VEX document. Required.
metadata.tools.services List of services used in generating the VEX document. Required.
metadata.tools.services[].provider Information about the provider of the service. Required.
metadata.tools.services[].provider.name The name of the service provider. Required.
metadata.tools.services[].provider.url URLs associated with the service provider. Required.
metadata.tools.services[].name The name of the service. Required.
metadata.tools.services[].version The version of the service. Required.
metadata.tools.services[].description A description of the service. Required.
metadata.component Information about the main component described by the VEX document. Required.
metadata.component.bom-ref A reference identifier for the component within the VEX. Required.
metadata.component.type The type of the main component. Required.
metadata.component.name The name of the main component. Required.
metadata.component.version The version of the main component. Required.
metadata.component.hashes Cryptographic hashes of the main component. Required.
metadata.component.purl The Package URL (purl) for the main component. Required.
vulnerabilities List of vulnerabilities associated with the component. Required.
vulnerabilities[].id The identifier of the vulnerability. Optional.
vulnerabilities[].references References related to the vulnerability. Optional.
vulnerabilities[].references[].source.url URL of the reference source. Optional.
vulnerabilities[].ratings Severity ratings for the vulnerability. Optional.
vulnerabilities[].ratings[].score Numerical score of the severity. Optional.
vulnerabilities[].ratings[].severity Textual representation of the severity. Optional.
vulnerabilities[].ratings[].method The method used for rating (for example, “CVSSv3”). Optional.
vulnerabilities[].ratings[].vector The vector string for the rating. Optional.
vulnerabilities[].cwes Common Weakness Enumeration (CWE) identifiers. Optional.
vulnerabilities[].description A description of the vulnerability. Optional.
vulnerabilities[].detail Detailed information about the vulnerability. Optional.
vulnerabilities[].recommendation Recommended actions to address the vulnerability. Optional.
vulnerabilities[].advisories List of advisories related to the vulnerability. Optional.
vulnerabilities[].advisories[].url URL of the advisory. Optional.
vulnerabilities[].published The date when the vulnerability was published. Optional.
vulnerabilities[].updated The date when the vulnerability information was last updated. Optional.
vulnerabilities[].credits Credits for individuals or organizations related to the vulnerability. Optional.
vulnerabilities[].credits.individuals List of individuals credited. Optional.
vulnerabilities[].analysis Analysis of the vulnerability’s impact on the component. Optional.
vulnerabilities[].analysis.state The state of the analysis (for example, not_affected). Optional.
vulnerabilities[].analysis.justification Justification for the analysis state. Optional.
vulnerabilities[].affects Information about which components are affected by the vulnerability. Optional.
vulnerabilities[].affects[].ref Reference to the affected component. Optional.

2 - Import SBOMs

Learn more about software transparency and the role of importing SBOMs in your organization.

Software consumers, or those who use software, need to understand their software inventory holistically. This includes both the software that they create and the software that they purchase. For the software that a software consumer procures, they can request an SBOM to get visibility into the software composition of what they deploy in their environment.

If an information security analyst on your team sends a mass email to all your vendors asking them to provide SBOMs, you are likely to get some combination of confused replies, refusals to hand over anything, and a few incredibly detailed json and XML files. An inbox full of attachments is not the correct way to manage information. Storing these SBOMs in platforms like Google Drive, Dropbox, or any other information repository without active utilization will yield minimal benefits.

Endor Labs’ SBOM hub ingests, parses, analyzes, and tracks your vendor’s SBOMs and offers a structured method to track and version control every SBOM.

SBOM Hub

SBOM Hub is a central location for software consumers to store, search, and monitor their SBOMs. If you are building out an SBOM program you should visit our blog on Key questions for your SBOM program to learn more about SBOM best practices and program management.

You can use Endor Labs finding policies to identify vulnerabilities, unmaintained open source software, license risk and outdated dependencies in the SBOMs provided to you by your third-party software vendors.

Import an SBOM to Endor Labs

Once you have an SBOM from one of your third-party vendors, you should import the SBOM into Endor Labs to monitor and manage it.

Import SBOMs through the Endor Labs UI

Import your project’s SBOM into the Endor Labs application to discover vulnerabilities and view findings. You can either upload the file from the user interface or through endorctl.

  1. Click SBOM Hub on the left-hand side navigation menu.
  2. Click Import SBOM in the top right-hand corner.
  3. Choose Upload File and select the type of SBOM you would like to upload.
    1. Use CycloneDX if your vendor has provided you with a CycloneDX format SBOM
    2. Use SPDX if your vendor has provided you with a SPDX format SBOM
  4. Click Browse to upload your SBOM from your workstation or drag the SBOM into the Endor Labs UI.

Once you have imported your SBOM to Endor Labs, Endor Labs will schedule a scan in the background for the SBOM within the next few hours. To instantly scan the SBOM see Importing SBOMs through the Endor Labs CLI

Import SBOMs through the Endor Labs CLI

To import an SBOM to Endor Labs with automation or using the CLI use the following command:

endorctl sbom import --sbom-file-path=/path/to/your/sbom.json
endorctl sbom import --format=spdx --sbom-file-path=/path/to/your/sbom.json

See the sbom import command for endorctl for more information.

Manage SBOMs

Manage the SBOMs on the Endor Labs application.

  • Delete SBOM - Select one or more SBOMs, click the vertical ellipsis at the right side and click Delete SBOM.
  • Include Tags for an SBOM - Select one or more SBOMs and click Edit Tags on the top right-hand corner. Tags are labels or keywords that you can use to categorize SBOMs. They help classify and group related SBOMs, making it easier to search, filter, and manage the SBOMs. Tags can have a maximum of 63 characters and can contain letters A-Z, numbers (0-9), or any of (=@_.-) special characters.

Tagging strategies for SBOMs

To improve your team’s ability to search and manage SBOMs, you can tag them as they are received. Tagging SBOMs helps your team understand the applications, vendors, and their importance to your business.


Use Case Rationale Example Tags
Data Classification Understand the kind of data a vendor or vendor application handles for you. Classification_Restricted, Classification_HighlySensitive, Classification_Public
Vendor Name Some SBOMs may lack vendor information. Be sure to label your SBOMs with vendor names for better vendor management. Vendor_RedHat
Vendor Criticality Tag your SBOMs according to your internal vendor tier strategy or if the vendor is considered critical. This will streamline regular SBOM reviews. Critical_Vendor, Tier1_Vendor