Feature Focus: SBOM Import
That’s why a Software Bill of Materials (SBOM) is so important and why SBOM formats like CycloneDX are emerging as standards for sharing SBOMs between, for instance, a company and its software suppliers. An SBOM is like a cooking recipe listing ingredients (software components), telling you exactly what’s inside the package. But reviewing these SBOMs manually can be a real headache. Trying to centralize and keep control of this information is even more complex at the portfolio level.
And that’s exactly what a Software Composition Analysis product like CAST Highlight can do. By importing SBOMs in CycloneDX format, CAST Highlight can instantly analyze every component, check for known vulnerabilities, identify any licensing issues, and highlight any outdated components. It’s like having a super-powered microscope that can instantly see all the tiny details that you might miss, without even having to scan the source code or binaries. And that’s the interesting part of this SBOM importing capability. Let’s see how it works.
How to import a CycloneDX SBOM in CAST Highlight
If you’re familiar with CAST Highlight, you know that an application result is made of scan results and/or survey results for a given application snapshot. As an SBOM is neither a scan nor a survey, the first step will consist of creating an “empty” application result (a new snapshot if you will) which will be the placeholder for the SBOM import.
- Go to APPLICATION SCANS and click on “Start new SBOM import”.
- A modal opens where you can define the snapshot label for the result you’re creating, select the applications and choose the import date.
- Once you click on ‘Save’, a new result is created for the corresponding applications with the defined closing date. You can now start the SBOM file import by clicking on ‘Import SBOM file’.
- A modal opens to upload the SBOM file (the currently supported format is CycloneDX 1.4), define a reference name for this uploaded document (by default, the reference will be the file name) and a generate date (by default, it will be current date). Note that the same SBOM file cannot be imported more than once for the same application, although the same SBOM file can be uploaded for different applications.
- Select the SBOM corresponding to the application snapshot and click on ‘Save’.
- Finally click on ‘Submit’ to run the SCA result processing for this SBOM import.
Once the SBOM import has been processed by CAST Highlight, application results are available under the Software Composition tab for the given application, exactly as if it were scanned directly. Vulnerabilities, license issues, obsolescence, list of detected components and versions, and other SCA features are available.
You will notice that the ‘Origin’ icon is slightly different from a regular scan as components are not detected through a dependency file (pom.xml, package.json, etc.) nor a scan fingerprint, but through a SBOM file import.
Note: we released this SBOM importing feature in beta as, although the CycloneDX format is becoming a de facto standard, the SBOM structure can be different from one SCA product to another as the CycloneDX format is very flexible. For instance, one of the key requirements for current version of SBOM import is the “purl” (package url) attribute.
CAST Highlight supports the import of CAST Highlight-generated SBOMs, but don’t hesitate to reach out to support (help@castsoftware.com) for any issue with SBOMs from other products.
This feature is available on demand, contact us to enable it for your CAST Highlight instance (help@castsoftware.com).
Supported CycloneDX versions and SBOM tools
CycloneDX: 1.5
Tools:
- CAST Highlight
- Maven
- NodeJS
- Anchore Syft