SPDX, CycloneDX and Syft

Collecting SBOM data with SPDX, CycloneDX and Syft.

SBOM Tools

DeployHub can consume any SPDX and CycloneDX formatted SBOM. If you are already generating SBOMs, you will pass the name of the SBOM results to DeployHub as shown below. If you are not generating SBOMs as part of your pipeline process, you will need to add SBOM generation to collect the lower dependency data. Following is how to add Syft to your workflow to include the collection of SBOM data.

Adding Syft to your Pipeline Automation

Syft SBOM tool will generate Software Bill of Material Reports for popular coding languages and package managers, including Docker images.

The following code example scans a Docker Image to generate the SBOM. See Syft Options to scan other objects and coding languages.

# install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b $PWD

# create the SBOM
./syft packages $DOCKERREPO:$IMAGE_TAG --scope all-layers -o cyclonedx-json > cyclonedx.json

# display the SBOM
cat cyclonedx.json

Passing the Name of the SBOM Results

Note: To complete the process you will need to install the Ortelius CLI where your CI/CD server is running. Refer to the Ortelius GitHub CLI Documentation for installation instructions.

Execute the following calls to the Ortelius CLI as part of your workflow. It should be called after the build and SBOM generation:

With CycloneDX SBOM

dh updatecomp --rsp component.toml --deppkg "cyclonedx@name of your SBOM file"

Example:
dh updatecomp --rsp component.toml --deppkg "[email protected]"

With SPDX SBOM

dh updatecomp --rsp component.toml --deppkg "spdx@name of your SBOM file. "

Example:
dh updatecomp --rsp component.toml --deppkg "[email protected]"

Results

SBOM details are available at the Component Version and Application Version details pages. Also, the SBOM with the associated CVE data can be exported to a PDF. To export the SBOM and CVEs, go to the Application list view, select an Application Version. Then choose the menu item Reports -> Export SBOM. The PDF will be generated showing all of the Component Versions, SBOM Packages and any associated CVEs aggregated up to the selected Application Version.

Example Application Version SBOM and CVEs

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified September 6, 2024: Signed-off-by: tracyragan <[email protected]> (a8733b8)