What does BOM tool do?

please what does actually BOM/SBOM tool do in lift available through lift.sonatype.com?

I can see that Bill Of Materials tool is executed during analysis, but I do not understand the results for this module.
I would expect that “bill of materials” will report list of dependencies used in the project, eventually with some more information.
In the build logs, there is just

Running V4 API tools
  Running Bill Of Materials
  Sanitizing repository
  Found 0 bugs in 37 seconds

What bugs does it look for?
Why there is 0 bugs, while lift integrated with maven-central shows multiple vulnerabilities.
What actually can I get or expect from this tool (Bill Of Materials) on lift.sonatype.com? Is there available any output from this tool?


Hey @vainyksi. You’ve stumbled across a feature we’re currently working on. We’re adding support for a new “Dependencies” tab which will show you all dependencies that exist in your project as well as which ones have vulnerabilities. It will also have support for exporting CycloneDX JSON. We based this view of the maven-central integration so it should be very familiar to you.

We released the backend part of this (the BOM analysis) early to validate it works correctly. We’re currently finishing up the front end and you should see it appear in the next couple of weeks. Watch this space :slight_smile:.

I suspect the “0 bugs” may be a bug in the way the analysis is reporting. I’ll check in with the team.


That sounds great, Joseph.

I am looking forward to try it out.


1 Like