Skip to content

SBOM management

Summary

A list of components is automatically created during the analysis process, but you can also attach an SBOM file to your firmware. You can add, delete, or edit individual components. An SBOM can be downloaded, based on the Components page, in CycloneDX or SPDX formats.

SBOM (Software Bill of Material) is a list of components that make up a firmware. “Component detection” means identifying these components.

As part of the analysis process, a list of components is automatically generated from the uploaded firmware image. For each component, the platform finds:

  • the component's name
  • the component's version
  • the files in the component
  • CPEs (if any)
  • licenses (if any)

For more information on how ONEKEY identifies components, see Components.

Import

You can attach an SBOM file to your firmware during the upload process. The inclusion of an SBOM file with the firmware enables ONEKEY to identify components detectable by the platform or to compare and assess the quality of the SBOM. Supported SBOM formats are:

  • CycloneDX JSON (versions 1.2 - 1.6)
  • CycloneDX XML (versions 1.1 - 1.6)

The SBOM file must be uploaded with the firmware image; it is not possible to upload the SBOM at a later point.

To upload just the SBOM, attach it to an empty firmware image.

Info

Attaching an SBOM to a firmware does not disable automatic component detection. Instead, the platform creates the component list using both sources.

If the imported SBOM includes a component also detected by the platform, the two results are merged. See more details under the Evidences tab.

If a component is included in the imported SBOM but not detected by the platform, it will be listed as containing 0 files.

Warning

ONEKEY cannot perform automated impact assessment on CVEs that have been matched with components that were imported from an SBOM file but not detected by the platform.

Check details

Components page

Select a firmware to enter Analysis view. Click on the Components tab to see all identified components.

Select a component to open the Component details popup. Here you can see,

  • some basic information about the component (Overview tab),
  • the files it contains (Files tab),
  • the CVEs found (CVEs tab),
  • and a list of items that indicate the methods and sources used in identifying the selected component (Evidences tab).

Editing

Click on the Edit button in the Overview menu of the component details popup to modify the component details.

Edit component

In most fields, you can enter any text without restrictions, but for Tags you can only choose from the items in the dropdown menu.

To edit the CPE string, update the Vendor and Product fields.

Special characters
  • *: stands for ANY. If you place this character in a field it will match with all relevant CPE attributes.
  • -: stands for NA. If you place this character in a field it will have no meaningful value and will not match any attributes (except where the CPE string contains *).

Let's look at an example. The busybox component has the CPE string

cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*

Updating the Vendor field of the component updates its CPE string. Let insert a * there. Now the CPE string should look something like this:

cpe:2.3:a:*:busybox:*:*:*:*:*:*:*:*

With this CPE, the platform matches each CVE to the component that contains the :busybox attribute.

If we put a "-" in the Vendor field, the CPE is updated as follows:

cpe:2.3:a:-:busybox:*:*:*:*:*:*:*:*

In this case, the platform does not match any CPEs that have an attribute before :busybox.

For the Licenses field you can select an item from the dropdown menu, 1 but you can also enter your own text.

To save your changes click Submit, to discard the changes click Cancel.

Important

The Name, Version, and Update fields cannot be left empty. After editing, adding, or deleting a component, rerun the analysis for the changes to take effect and to update CVE matching.

Why edit or add components?

If a component is not detected, the platform cannot perform CVE matching on it, resulting in an overall less accurate CVE match result.

If a component is detected, but with incorrect details, the CVE match results might be inaccurate or non-applicable.

Add components

  1. Click the Create component button.
    Create component
  2. Enter component info.
  3. Click Submit.

Important

The Name, Version, and Update fields cannot be left empty.

Delete components

  1. Check the boxes next to the components you want to delete.
  2. Click Delete components.
    Delete component

Alternatively, if you want to delete only one component, you can click on Edit on the Details popup, then select Delete.

Export

To download an SBOM, select a firmware and click the Download SBOM button on any page in Analysis view:

Download SBOM

A popup window will open. Here you can select:

  • The SBOM format.
  • The file format.
  • The version of the SBOM file.
  • Whether the files should be included.

Once you are ready, click on the Download button.

Available SBOM formats for download
  • CycloneDX JSON (versions 1.2 - 1.6)
  • CycloneDX XML (versions 1.1 - 1.6)
  • SPDX JSON (version 2.3)
  • SPDX XML (version 2.3)

Global components page

A list of components found in all your uploaded firmware. For more information, see Global Search.

Note

You cannot edit components on the Global components page.

  1. The dropdown shows valid licenses in the SPDX database.