Skip to main content

Checkmarx One SBOM Reports

What is an SBOM Report?

Software Bill of Materials (SBOM), in simple words, is a list of all ingredients (i.e., components) of a software product. Just like you would check the ingredients of a food product before eating it, so too you should know what’s in your software before using it.

“On May 12, 2021, the President issued Executive Order 14028, “Improving the Nation's Cybersecurity.” [1] An initial step towards the Executive Order's goal of “enhancing software supply chain security” is transparency.

(Quote: federalregister.gov)

Generating an SBOM report may sound like a relatively simple task, but in most cases it’s not. Modern software projects make use of a long list of 3rd party software packages, each of which often calls on many other dependencies. This can create a very extensive tree of dependencies being used by your software.

SBOM reports follow a standard format that includes detailed information about each involved component. At a minimum, for each component, it must give the component’s name, supplier name, version, hashes and other unique identifiers, dependency relationship, author of SBOM data and timestamp.

It also needs to cover every software modification and update in order to reflect the current status of the project. This is best accomplished using an automated process that is integrated into your CI/CD pipeline.

Overview

Checkmarx One uses the SCA and Container Security scanners to identify images and packages used in your project. Checkmarx also leverages our ability to identify vulnerabilities, suspected malware risks and licenses associated with your packages to supplement the standard SBOM info. This creates an SBOM that provides real insight into the risks associated with your 3rd party components.

SBOM reports can be generated in CycloneDX v1.6 or SPDX v2.2 formats, with additional “property” fields showing supplemental risk data. The reports can be exported in XML or JSON format. There are two types of SBOM reports that can be generated in Checkmarx One:

  • Project SBOM - based on results from a specific project scan. Supported for SCA scanner.

  • Application SBOM - based on the last successful scan of each project associated with application. Supported for SCA and Container Security scanners.

SBOMs can be generated from the web portal (UI) as well as via CLI or API.

Generating SBOM Report for a Project

You can generate an SBOM based on the scan results of the SCA scanner for a specific project.

To generate an SBOM report:

  1. On the Projects page, hover over the Results button for the desired project and select SCA.

    Image_2106.png

  2. On the Scan Results page, Click on the Export button Export.png in the header bar.

    The export type menu opens.

    Image_2110.png

  3. Click on Software Bill of Materials.

    The SBOM configuration dialog opens.

    6426460378.png

  4. Select the desired SBOM standard. Options are: SPDX or CycloneDx.

  5. Select the output format. Options are: for CycloneDx, XML or JSON; for SPDX only JSON is supported.

  6. Click Export.

    The SBOM report is downloaded and can be viewed on standard XML/JSON viewers.

Generating SBOM Report for an Application

You can generate an SBOM report for a Checkmarx One application. This will include data identified by the SCA and/or Container Security scanners in all projects associated with that application. Data is taken from the last successful scan of the project.

To generate an SBOM report:

  1. On the Workspace Workspace.png > Projects page, click 252199_spr.png in the Filters and Groups bar and select SBOM Report from the dropdown menu.

    Image_2112.png

  2. The Generate Report sliding pane is displayed.

    Image_2113.png

  3. Select the desired Report Type. Options are: SPDX or CycloneDx.

  4. Select the output format. Options are: for CycloneDx, XML or JSON; for SPDX only JSON is supported.

  5. Under By Application, select the desired application.

  6. Under Scanners select the scanners for which you would like to include results in the SBOM report . Options are: SCA and Container Secutiry.

  7. Select the Hide Private Packages checkbox if you want to exclude private packages from the report.

  8. If you would like to send the report to email recipients, expand the Optional Settings section and enter the required email details under Send Report by Email. (optional)

  9. Click Generate.

    The SBOM report is downloaded and can be viewed on standard XML/JSON viewers.

Viewing CycloneDx SBOM Reports

Checkmarx CycloneDx SCA SBOM Reports can be generated in XML or JSON format and can be viewed in standard XML and JSON viewers.

The report follows the CycloneDX v1.6 format, which includes standard SBOM fields such as: Id (Purl), Component name, Version, License and Hashes, all those will be included in every SBOM as a required fields list.

In addition, Checkmarx SCA adds a “properties” section with extended information for each library. This section contains key information about the risks associated with the library.

Sample XML:

6102418948

SBOM Component Dependencies

Each component contains its dependent components, and each dependency section contains a set of required fields and a properties section.

Sample Components Section (XML):

6102418955
In this section: