Generating an SBOM (software bill of materials)
Generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep Cloud Platform.
Supported standards and formats
Semgrep Supply Chain supports the following:
- CycloneDX 1.4 JSON
- CycloneDX 1.4 XML
Generating and downloading an SBOM for a single project
Prerequisites
- SBOM generation can be performed only through Semgrep Cloud Platform (SCP). Create an account to use this feature.
- You need at least 1 successful Supply Chain scan on the trunk branch of each repository you want to generate an SBOM for. To add a repository to Semgrep for scanning, see Running scans.
- In Semgrep Cloud Platform, click Supply Chain > Dependencies.
- Click the Download icon next to the repository you want an SBOM for.
- Click the format you want the SBOM to be in. After clicking, do not refresh or leave the page until the SBOM has been generated.
- Once SCP has generated the SBOM, click the link provided on the toaster notification to download it.
You have successfully downloaded an SBOM.
Semgrep-specific SBOM data fields
In addition to the minimum elements that define an SBOM, Semgrep provides additional metadata in the vulnerabilities field. Under vulnerabilities are a list of data objects that each describe a specific vulnerability. Each vulnerability has the following data fields:
| Semgrep-specific field | Description |
|---|---|
| Advisories | Links to GitHub or NIST advisories about the specific vulnerability. |
| Affects | The name and version of the package that the vulnerability affects. |
| Analysis | Semgrep's analysis of this vulnerability in your supply chain. Under analysis are state and justification fields, which describe if your codebase is affected by the vulnerability and the reason why Semgrep thinks it is or is not affected. |
| CWEs | The assigned CWE (common weakness enumeration) number. |
| Description | A short description of the vulnerability. |
| Detail | A longer description of the vulnerability, including the affected versions. |
| Ratings | Semgrep Supply Chain's severity rating of this vulnerability. |
| References | Links to the specific CVE. References can come from NIST and GitHub Security Advisory. |
| Source | The primary source of this vulnerability's advisory. |
| Tools | Details about Semgrep, which is the tool used to generate the SBOM. |