Skip to content

Import Specifications#

This page explains the common specifications for how the information contained in an SBOM file is imported into FutureVuls (or not imported) when you import an SBOM file.

For the format-specific parsing specifications of CycloneDX and SPDX, refer to "CycloneDX Import Specifications" and "SPDX Import Specifications".

Import Process Flow#

SBOM files are imported roughly in the following flow. FutureVuls reads the list of components (software) from the SBOM file, determines the software type from each component's identifiers (PURL / CPE), and then registers them in FutureVuls as OS information, OS packages, and dependency libraries.

flowchart LR
    subgraph S1["1. Read"]
        A["SBOM file<br>Component list"]
    end
    subgraph S2["2. Type determination"]
        C{"Evaluate identifiers"}
    end
    subgraph S3["3. Software type"]
        D["OS package (os)<br>*Server SBOM only"]
        E["Language library (library)"]
        F["private"]
        G["Not registered"]
    end
    subgraph S4["4. Registration"]
        Z["Registered in FutureVuls"]
    end
    A --> C
    C -->|"OS package ecosystem PURL"| D
    C -->|"Language ecosystem PURL"| E
    C -->|"Other PURL / CPE / name only"| F
    C -->|"No identifiers"| G
    D --> Z
    E --> Z
    F --> Z

One OS per SBOM

FutureVuls assumes that one SBOM file corresponds to one OS. If a single SBOM contains information for multiple operating systems, an import error will occur.

Component Type Determination#

The software type under which a component is registered and the priority of its information depend on the identifiers it contains (PURL / CPE). To understand how vulnerability detection is performed against the registered information, refer to "Behavior When Both CPE and PURL Are Assigned".

The determination gives top priority to the PURL; if there is no PURL, the CPE or name is used.

Identifiers the component has Registered type Remarks
PURL (OS package ecosystem) os (OS package) Server SBOMs only. rpm / deb / apk, etc.
PURL (language ecosystem) library (language library) npm / maven / pypi, etc.
PURL (any other ecosystem) private
No PURL + has a CPE private Registered with the CPE information
No PURL or CPE + has a name private Registered with the name and version (if there is no version, it is registered as unknown)
None of PURL, CPE, or name Not registered due to lack of required information

Components that have both a PURL and a CPE are registered with both identifiers assigned.

Why PURL (Package URL) is Recommended

CPE (Common Platform Enumeration) carries a risk of false positives in vulnerability detection for OS packages and OSS libraries (details).

PURL, on the other hand, allows for precise identification based on the package manager's ecosystem, improving the accuracy of vulnerability detection. Therefore, FutureVuls prioritizes importing components that have a PURL.

Software with neither a PURL nor a CPE assigned will not be subject to vulnerability detection unless a CPE or PURL is manually assigned after the SBOM import (see CPE/PURL Assignment).

Supported Ecosystems (PURL Type)#

Whether a component is an OS package or a language library is determined by the PURL type (ecosystem). Typical examples are as follows.

  • OS packages: rpm / deb / apk, etc.
  • Language libraries: npm (Node.js) / maven and gradle (Java) / pypi (Python) / gem (Ruby) / golang (Go) / composer (PHP) / cargo (Rust) / nuget (C#), etc.

Components with a PURL from any other ecosystem are registered as private.

Imported Information#

OS Information (Server SBOMs Only)#

The OS information contained in the SBOM file is registered as the server's OS only when the file is uploaded as a server SBOM (if there is no OS information, it is registered as Pseudo). We recommend including both the OS name and version (e.g., Ubuntu 20.04, CentOS 7). Note that an import error will occur if multiple sets of OS information are included.

OS Package Information (Server SBOMs Only)#

This is information about software managed by the OS package manager (RPM, deb, apk, etc.). It is imported only when uploaded as a server SBOM, and is displayed in Server Details > Software tab with the type os.

An import error will occur if multiple types of OS packages are mixed (e.g., rpm and deb), or if OS package information is present but OS information is not included.

Dependency Library (Application) Information#

This is information about libraries managed by language-specific package managers (Java, Python, Node.js, Go, etc.). It is imported for both server SBOMs and application SBOMs, and is displayed in Server Details > Software tab with the type library.

Dependency libraries are grouped into applications per language ecosystem or per manifest file (pom.xml, package-lock.json, etc.) — how they are grouped depends on the tool that generated the SBOM. Note that lock files and manifest files themselves are not registered as libraries; only the dependencies listed within them are registered.

License Information#

The license information of components described in the SBOM is imported and can be viewed in Software Details > OSS License. When multiple licenses are specified, they are displayed as an SPDX license expression using AND / OR / WITH. Note that license names that appear invalid (empty strings, extremely long strings, or strings containing copyright notices or boilerplate text, etc.) are not imported.

Information That Is Not Imported#

Vulnerability Information#

Vulnerability information listed within the SBOM file is not imported.

FutureVuls performs its own re-matching process based on the imported component information (PURL or CPE) using its latest vulnerability database. This allows for the discovery of new vulnerabilities that were not detected at the time the SBOM was created.

Troubleshooting#

Here are the main causes and solutions when an SBOM file import fails.

If an Error Occurs During File Registration#

Cause Details / Solution
OS information mismatch Registration will fail if "OS package information (e.g., rpm)" is included but "OS information (OS name)" is missing.
→ Add the OS information or review your tool's configuration.
Duplicate OS information A single SBOM contains information for multiple operating systems.
→ Correct it to a single-OS configuration.
Mixed package formats Different types of OS packages (e.g., apk and deb) are mixed.
→ Ensure that only one type is included.
Unsupported OS The detected OS is not supported by FutureVuls.
→ Check the Supported Environments.
Unsupported format The file is in a format other than CycloneDX / SPDX, or an unsupported version (such as SPDX v3).
→ Output the file in a format and version listed in the Supported Environments.

If the Import Succeeds but Information Is Missing#

  • Missing OS/package information: Did you register it as an "application SBOM"? OS-related information is ignored in application SBOMs.
  • Vulnerabilities are not displayed: Vulnerability information within the SBOM is not used; vulnerabilities will be detected by FutureVuls during the next scan. If you want the results reflected immediately, run a manual scan from the server details page. Also, components that have neither a PURL nor a CPE are not subject to automatic vulnerability detection, so manually assign a CPE or PURL to them.