Upload SBOMs

Uploading an SBOM for a Product or Branch / Version imports all components with their licenses and dependencies. This is a precondition to use License management or OSV scanning.

Currently CycloneDX and SPDX files are supported, both in JSON format.

Import from CI pipelines via the API

There will be a GitHub action and GitLab CI template available to import an SBOM shortly.

Alternatively, the REST API can be used to import an SBOM, with the endpoints /api/import/file_upload_sbom_by_id/ and /api/import/file_upload_sbom_by_name/.

Import from the frontend

Additionally observations can be imported via the user interface. When showing a product, there is a respective button in the Import menu:

Start import

Upload of files

A file needs to be selected. The parser to interpret the content of the file will be detected automatically. The Branch / Version is optional.

When uploading a CycloneDX file here, no vulnerabilities will be imported, just components with their licenses. To import vulnerabilities from a CycloneDX file, Import observations has to be used.

Import algorithm

The import algorithm to decide, if a component with its license already exists it is new is similar as for importing observations.