Skip to main content

Generating an SBOM (software bill of materials)

Generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform.

Supported standards and formats

Semgrep Supply Chain supports the following:

  • CycloneDX 1.4 JSON
  • CycloneDX 1.4 XML

Generating and downloading an SBOM for a single project

  • SBOM generation can be performed only through Semgrep AppSec Platform.
  • You need at least one successful Supply Chain scan on the trunk branch of each repository you want to generate an SBOM for. See Core deployment to set up your Semgrep account and Supply Chain scans.

When generating an SBOM, Semgrep uses the vulnerability information from the default branch for the project, and the dependency information from the latest full scan for the project. Typically, full scans are run only on default branches, but if your workflow differs and you also run full scans on other branches, that can create a mismatch between dependencies and vulnerabilities in the generated SBOM.

To avoid the mismatch, ensure that the latest full scan ran on the default branch of the repository you want to generate an SBOM for.

  1. In Semgrep AppSec Platform, click Supply Chain > Dependencies.
  2. Click the Download icon next to the repository you want an SBOM for.
  3. Click the format you want the SBOM to be in. After clicking, do not refresh or leave the page until the SBOM has been generated.
  4. Once Semgrep has generated the SBOM, click the link provided on the toaster notification to download it. Download link in toaster notification

You have successfully downloaded an SBOM.

Semgrep-specific SBOM data fields

In addition to the minimum elements that define an SBOM, Semgrep provides additional metadata in the vulnerabilities field. Under vulnerabilities are a list of data objects that each describe a specific vulnerability. Each vulnerability has the following data fields:

Semgrep-specific fieldDescription
AdvisoriesLinks to GitHub or NIST advisories about the specific vulnerability.
AffectsThe name and version of the package that the vulnerability affects.
AnalysisSemgrep's analysis of this vulnerability in your supply chain. Under analysis are state and justification fields, which describe if your codebase is affected by the vulnerability and the reason why Semgrep thinks it is or is not affected.
CWEsThe assigned CWE (common weakness enumeration) number.
DescriptionA short description of the vulnerability.
DetailA longer description of the vulnerability, including the affected versions.
RatingsSemgrep Supply Chain's severity rating of this vulnerability.
ReferencesLinks to the specific CVE. References can come from NIST and GitHub Security Advisory.
SourceThe primary source of this vulnerability's advisory.
ToolsDetails about Semgrep, which is the tool used to generate the SBOM.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.