A complete and accurate inventory of all first-party and third-party components is essential for risk identification. A Software Bill of Materials (SBOM) is a document that provides transparency into the software components of an application.
SBOMs should ideally contain all direct and transitive components and the dependency relationships between them. They should also contain metadata associated with each of these components.
For software producers
Software producers, those who create and sell software, need to be able to provide software transparency through an SBOM to their customers on request to reduce sales cycles, establish trust and in some cases as a regulatory or business requirement.
A Vulnerability Exploitability eXchange (VEX) document conveys the potential risks associated with components that have known vulnerabilities within the specific context of the product.
Software producers may need to, upon request, provide justification for known vulnerabilties and how they impact an application they sell.
Software consumers, or those who use software, need to understand their software inventory holistically. This includes both the software that they create and the software that they purchase.
Learn more about software transparency and the role of SBOMs in your organization.
To export an SBOM you must first perform a successful endorctl scan. If you haven’t successfully scanned a project see quick start for more information.
Export an SBOM through the Endor Labs user interface
To export an SBOM for a package version in the Endor Labs user interface:
Navigate to My Packages and search for the package name in the Search filter.
Select the version to create an SBOM
Click Export SBOM in the top right-hand corner.
Select the container format.
Select the output format and type of SBOM you would like to generate and click Export SBOM. A file containing the SBOM will download from your browser.
Click Export VEX to generate a Vulnerability Exchange (VEX) file for the package version.
Export an SBOM through the API using endorctl
To export an SBOM you will need the package version name for which you’d like to create an SBOM or its UUID.
Pass the package name or UUID to the command endorctl sbom export using the --package-version-name or --uuid flags.
To get the package version name through the API and export an SBOM you must first find the package version name through the API.
You can easily export a reference package name and the scanned version you’d like to export as environment variables.
Learn more about software transparency and the role of importing SBOMs in your organization.
Software consumers, or those who use software, need to understand their software inventory holistically. This includes both the software that they create and the software that they purchase. For the software that a software consumer procures, they can request an SBOM to get visibility into the software composition of what they deploy in their environment.
If an information security analyst on your team sends a mass email to all of your vendors asking them to provide SBOMs, you are likely to get some combination of confused replies, refusals to hand over anything, and a few incredibly detailed JSON and XML files. An inbox full of attachments is not the correct way to manage information. Storing these SBOMs in platforms like Google Drive, Dropbox, or any other information repository without active utilization will yield minimal benefits.
Endor Labs’ SBOM hub ingests, parses, analyzes, and tracks your vendor’s SBOMs and offers a structured method to track and version control every SBOM.
What is SBOM Hub?
SBOM Hub is a central location for software consumers to store, search, and monitor their SBOMs. If you are building out an SBOM program you should visit our blog on Key questions for your SBOM program to learn more about SBOM best practices and program management.
You can use Endor Labs finding policies to identify vulnerabilities, unmaintained open source software, license risk and outdated dependencies in the SBOMs provided to you by your third-party software vendors.
Import an SBOM to Endor Labs
Once you have an SBOM from one of your third-party vendors, you should import the SBOM into Endor Labs to monitor and manage it.
Import SBOMs through the Endor Labs UI
Import your project’s SBOM into the Endor Labs application to discover vulnerabilities and view findings. You can either upload the file from the user interface or through endorctl.
Click SBOM Hub on the left-hand side navigation menu.
Click Import SBOM in the top right-hand corner.
Choose Upload File and select the type of SBOM you would like to upload.
Use SPDX if your vendor has provided you with a SPDX format SBOM
Click Browse to upload your SBOM from your workstation or drag the SBOM into the Endor Labs UI.
Once you have imported your SBOM to Endor Labs, Endor Labs will schedule a scan in the background for the SBOM within the next few hours. To instantly scan the SBOM see Importing SBOMs through the Endor Labs CLI
Tip
Endor Labs supports CycloneDX or SPDX format SBOMs in XML or JSON format.
Import SBOMs through the Endor Labs CLI
To import an SBOM to Endor Labs with automation or using the CLI use the following command:
Delete SBOM - Select one or more SBOMs, click the vertical ellipsis at the right side and click Delete SBOM.
Include Tags for an SBOM - Select one or more SBOMs and click Edit Tags on the top right-hand corner. Tags are labels or keywords that you can use to categorize SBOMs. They help classify and group related SBOMs, making it easier to search, filter, and manage the SBOMs. Tags can have a maximum of 63 characters and can contain letters A-Z, numbers (0-9), or any of (=@_.-) special characters.
Tagging strategies for SBOMs
To improve your team’s ability to search and manage SBOMs, you can tag them as they are received. Tagging SBOMs helps your team understand the applications, vendors, and their importance to your business.
Use Case
Rationale
Example Tags
Data Classification
Understand the kind of data a vendor or vendor application handles for you.