CycloneDX Import Specifications#
This page explains which fields of an SBOM in OWASP CycloneDX (v1.x) format FutureVuls interprets and imports, and how.
For the format-independent common specifications, such as component type determination and the import of OS and dependency libraries, refer to "SBOM Import Specifications". This page covers the field mapping specific to CycloneDX.
FutureVuls reads the following information from CycloneDX.
metadata#
"metadata": {
"timestamp": "2023-08-08T08:22:10+00:00",
"tools": [
{
"vendor": "aquasecurity",
"name": "trivy",
"version": "0.43.0"
}
],
"component": {
"bom-ref": "__ROOT_COMPONENT_REF__",
"type": "container",
"name": "ami-xxxxxxxxxxxxxxxxx"
}
}
- The generating tool is detected via
tools. - If the
componenthastype: operating-system, it may be imported as OS information.
components#
"components": [
{
"bom-ref": "__OPERATING_SYSTEM_COMPONENT_REF__",
"type": "operating-system",
"name": "amazon",
"version": "2023"
},
{
"bom-ref": "pkg:rpm/amazon/bash@4.2.46-34.amzn2023?arch=x86_64",
"type": "library",
"name": "bash",
"version": "4.2.46-34.amzn2023",
"purl": "pkg:rpm/amazon/bash@4.2.46-34.amzn2023?arch=x86_64"
},
{
"bom-ref": "__APPLICATION_COMPONENT_REF__",
"type": "application",
"name": "opt/vuls-saas/vuls",
"properties": [
{
"name": "aquasecurity:trivy:Type",
"value": "gobinary"
}
]
},
{
"bom-ref": "pkg:golang/github.com/vulsio/go-exploitdb@v0.4.2",
"type": "library",
"name": "github.com/vulsio/go-exploitdb",
"version": "v0.4.2",
"purl": "pkg:golang/github.com/vulsio/go-exploitdb@v0.4.2"
},
...
]
components, which represent the list of software in CycloneDX, are imported as follows, using type as a hint.
- If
typeisoperating-system, it is imported as OS information. - If
typeislibrary, it is imported as either an OS package or a language library. - If
typeisapplication, it is imported as application information (with some exceptions). - Other types such as
type: firmwareandtype: deviceare also imported.
The actual software type of each component (os / library / private) is determined based on its purl and cpe information. For the determination rules, refer to "Component Type Determination".
In addition, the license information described in licenses is also imported.
dependencies#
"dependencies": [
{
"ref": "__ROOT_COMPONENT_REF__",
"dependsOn": [
"__OPERATING_SYSTEM_COMPONENT_REF__",
"__APPLICATION_COMPONENT_REF__"
]
},
{
"ref": "__OPERATING_SYSTEM_COMPONENT_REF__",
"dependsOn": [
...
"pkg:rpm/amazon/bash@4.2.46-34.amzn2023?arch=x86_64",
...
]
},
{
"ref": "__APPLICATION_COMPONENT_REF__",
"dependsOn": [
...
"pkg:golang/github.com/vulsio/go-exploitdb@v0.4.2",
...
]
},
...
]
- If the
refis an OS, eachcomponentlisted in itsdependsOnis imported as an OS package. - If the
refis an application, eachcomponentlisted in itsdependsOnis imported as a dependency library. - If
dependsOnrefers to anotherdependency, it is imported recursively. componentsthat do not exist independenciesare imported by referring to their PURL, and are classified as OS packages or dependency libraries.