Import SBOMs

Learn more about software transparency and the role of importing SBOMs in your organization.

Software consumers, or those who use software, need to understand their software inventory holistically. This includes both the software that they create and the software that they purchase. For the software that a software consumer procures, they may choose to request an SBOM so that they can get visibility into the software composition of what they deploy in their environment.

If an information security analyst on your team sends a mass email to all of your vendors asking them to provide SBOMs, you are likely to get some combination of confused replies, refusals to hand over anything, and a few incredibly detailed JSON and XML files.

Unfortunately, an inbox full of attachments is a terrible way to manage information. Even if you store them in Google Drive, Dropbox, or some other information repository, just having them “sitting on the shelf” will do little good.

Thus, having a way to receive and track your vendor’s SBOMs is absolutely vital before you start asking for them. At a minimum, you will need a structured method to track and version control each individual SBOM. Optimally, you will have a platform that ingest, parse, and analyze the information contained within. This is the gensis of Endor Lab’s SBOM Hub.

What is SBOM Hub?

SBOM Hub is a central location for software consumers to store, search and monitor their SBOMs. If you are building out an SBOM program you should visit our blog on Key questions for your SBOM program to learn more about SBOM best practices and program management.

You can use Endor Labs finding policies to identify vulnerabilites, unmaintained open source software, license risk and outdated dependencies in the SBOMs provided to you by your third party software vendors.

How to import an SBOM to Endor Labs

Once you have an SBOM from one of your third party vendors, you should import the SBOM into Endor Labs to monitor and manage it.

Import SBOMs through the Endor Labs UI

Import your project’s SBOM into the Endor Labs application to discover vulnerabilities and view findings. You can either upload the file from the user interface or through endorctl.

  1. Click SBOM Hub on the left-hand side navigation menu.
  2. Click Import SBOM in the top right-hand corner.
  3. Choose Upload File and select the type of SBOM you would like to upload.
    1. Use CycloneDX if your vendor has provided you a CycloneDX format SBOM
    2. Use SPDX if your vendor has provided you a SPDX format SBOM
  4. Click Browse to upload your SBOM from your workstation or drag the SBOM into the Endor Labs UI.

Once you have imported your SBOM to Endor Labs, Endor Labs will schedule a scan in the background for the SBOM within the next few hours. To instantly scan the SBOM see Importing SBOMs through the Endor Labs CLI

Import SBOMs through the Endor Labs CLI

To import an SBOM to Endor Labs with automation or using the CLI use the following command:

endorctl sbom import --sbom-file-path=/path/to/your/sbom.json
endorctl sbom import --format=spdx --sbom-file-path=/path/to/your/sbom.json

See the sbom import command for endorctl for more information.

How to manage SBOMs

Manage the SBOMs on the Endor Labs application.

  • Delete SBOM - Select one or more SBOMs, click the vertical ellipsis at the right side and click Delete SBOM.
  • Include Tags for an SBOM - Select one or more SBOMs and click Edit Tags on the top right-hand corner. Tags are labels or keywords that you can use to categorize SBOMs. They help classify and group related SBOMs, making it easier to search, filter, and manage the SBOMs. Tags can have a maximum of 63 characters and can contain letters A-Z, numbers (0-9), or any of (=@_.-) special characters.

Tagging strategies for SBOMs

To help your team better search and manage SBOMs its important to tag SBOMs as they come in. Tagging your SBOMs helps your team to better understand the applications, vendors and importance of the applications the SBOM represents to your business.


Use Case Rationale Example Tags
Data Classification Understand what type of data a vendor or vendor application might be handling for you.l;;;; Classification_Restricted, Classification_HighlySensitive, Classification_Public
Vendor Name Not all SBOMs contain vendor information. Ensure to tag your SBOMs with Vendor names to help you more effectively manage your vendors. Vendor_RedHat
Vendor Criticality Tag your SBOMs with your internal vendor teiring strategy or if the vendor is one of your critial vendors to help facilitate regular SBOM review Critical_Vendor, Teir1_Vendor