Skip to content

CycloneDX Import Specifications#

This page explains which fields of an SBOM in OWASP CycloneDX (v1.x) format FutureVuls interprets and imports, and how.

For the format-independent common specifications, such as component type determination and the import of OS and dependency libraries, refer to "SBOM Import Specifications". This page covers the field mapping specific to CycloneDX.

FutureVuls reads the following information from CycloneDX.

metadata#

  "metadata": {
    "timestamp": "2023-08-08T08:22:10+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.43.0"
      }
    ],
    "component": {
      "bom-ref": "__ROOT_COMPONENT_REF__",
      "type": "container",
      "name": "ami-xxxxxxxxxxxxxxxxx"
    }
  }
  • The generating tool is detected via tools.
  • If the component has type: operating-system, it may be imported as OS information.

components#

  "components": [
    {
      "bom-ref": "__OPERATING_SYSTEM_COMPONENT_REF__",
      "type": "operating-system",
      "name": "amazon",
      "version": "2023"
    },
    {
      "bom-ref": "pkg:rpm/amazon/bash@4.2.46-34.amzn2023?arch=x86_64",
      "type": "library",
      "name": "bash",
      "version": "4.2.46-34.amzn2023",
      "purl": "pkg:rpm/amazon/bash@4.2.46-34.amzn2023?arch=x86_64"
    },
    {
      "bom-ref": "__APPLICATION_COMPONENT_REF__",
      "type": "application",
      "name": "opt/vuls-saas/vuls",
      "properties": [
        {
          "name": "aquasecurity:trivy:Type",
          "value": "gobinary"
        }
      ]
    },
    {
      "bom-ref": "pkg:golang/github.com/vulsio/go-exploitdb@v0.4.2",
      "type": "library",
      "name": "github.com/vulsio/go-exploitdb",
      "version": "v0.4.2",
      "purl": "pkg:golang/github.com/vulsio/go-exploitdb@v0.4.2"
    },
    ...
  ]

components, which represent the list of software in CycloneDX, are imported as follows, using type as a hint.

  • If type is operating-system, it is imported as OS information.
  • If type is library, it is imported as either an OS package or a language library.
  • If type is application, it is imported as application information (with some exceptions).
  • Other types such as type: firmware and type: device are also imported.

The actual software type of each component (os / library / private) is determined based on its purl and cpe information. For the determination rules, refer to "Component Type Determination". In addition, the license information described in licenses is also imported.

dependencies#

  "dependencies": [
    {
      "ref": "__ROOT_COMPONENT_REF__",
      "dependsOn": [
        "__OPERATING_SYSTEM_COMPONENT_REF__",
        "__APPLICATION_COMPONENT_REF__"
      ]
    },
    {
      "ref": "__OPERATING_SYSTEM_COMPONENT_REF__",
      "dependsOn": [
        ...
        "pkg:rpm/amazon/bash@4.2.46-34.amzn2023?arch=x86_64",
        ...
      ]
    },
    {
      "ref": "__APPLICATION_COMPONENT_REF__",
      "dependsOn": [
        ...
        "pkg:golang/github.com/vulsio/go-exploitdb@v0.4.2",
        ...
      ]
    },
    ...
  ]
  • If the ref is an OS, each component listed in its dependsOn is imported as an OS package.
  • If the ref is an application, each component listed in its dependsOn is imported as a dependency library.
  • If dependsOn refers to another dependency, it is imported recursively.
  • components that do not exist in dependencies are imported by referring to their PURL, and are classified as OS packages or dependency libraries.