Hi,
please what does actually BOM/SBOM tool do in lift available through lift.sonatype.com?
I can see that Bill Of Materials tool is executed during analysis, but I do not understand the results for this module.
I would expect that “bill of materials” will report list of dependencies used in the project, eventually with some more information.
In the build logs, there is just
Running V4 API tools
Running Bill Of Materials
Sanitizing repository
Found 0 bugs in 37 seconds
What bugs does it look for?
Why there is 0 bugs, while lift integrated with maven-central shows multiple vulnerabilities.
What actually can I get or expect from this tool (Bill Of Materials) on lift.sonatype.com? Is there available any output from this tool?
Hey @vainyksi. You’ve stumbled across a feature we’re currently working on. We’re adding support for a new “Dependencies” tab which will show you all dependencies that exist in your project as well as which ones have vulnerabilities. It will also have support for exporting CycloneDX JSON. We based this view of the maven-central integration so it should be very familiar to you.
We released the backend part of this (the BOM analysis) early to validate it works correctly. We’re currently finishing up the front end and you should see it appear in the next couple of weeks. Watch this space .
I suspect the “0 bugs” may be a bug in the way the analysis is reporting. I’ll check in with the team.
@amansha when you run an analysis with Sonatype Lift, either by creating a new PR or running an on-demand analysis via the console, you should see the dependencies tab populated with a tree of all your dependencies. You can click into each to see the vulnerabilities and the details of those vulnerabilities. You can export a CycloneDX representation of your Bill of Materials by hitting the “Export CycloneDX” button.
This is all populated by the tool formerly known as Bill Of Materials (Now just called Open Source Vulnerabilities)
Thank you for the clarification! If I understand correctly, the name “Bill of Materials” in the below image has been changed to “Open Source Vulnerabilities”?
@amansha Correct. Before there was actually two tools “Bill of Materials” and “Open Source Vulnerabilities” doing very similar jobs and we’ve consolidated them into one tool “Open Source Vulnerabilities”
Great… but whilst the UI is good at showing our top level components directly, often there is a common cause, and one view we want to see is a list of components in our dependency chain that have vulnarabilities – ie just show me those 4 unique issues, and which (typically transitive) dependency contains them.
That is near impossible on this UI with many components.
One can export to VEX format and programatically check, but it seems it would be useful to have some kind of filter on the UI to answer this kind of question.
.
