SBOMs from vendors describe the components, licenses, and related metadata inside software you procure. Import them into Endor Labs so you can store, search, and analyze that composition next to the applications your organization builds.
Endor Labs’ SBOM Hub is a central location to store, search, and monitor SBOMs from vendors. When you import a file, Endor Labs ingests, parses, and analyzes it and keeps versions so you can see how vendor composition changes over time. For SBOM program design and day-to-day operations, see Key questions for your SBOM program.
You can use finding policies to identify vulnerabilities, unmaintained open source software, license risks, and outdated dependencies in the SBOMs provided to you by your third-party software vendors.
Import an SBOM to Endor Labs
Import your project’s SBOM into the Endor Labs application to discover vulnerabilities and view findings.
You can use the following methods to import SBOMs:
- Import SBOMs through the Endor Labs UI to upload your SBOMs and access vulnerability and dependency insights.
- Import SBOMs through the Endor Labs CLI to ingest SBOMs and access vulnerability and dependency insights directly from your command line.
Import SBOMs through the Endor Labs UI
To import SBOMs through the Endor Labs UI and view vulnerability and dependency insights:
- Select SBOM Hub from the left sidebar.
- Select Import SBOM in the top right-hand corner.
- Choose Upload File and select the type of SBOM you would like to upload, either in XML or json format.
- Use CycloneDX if your vendor has provided you with a CycloneDX format SBOM.
- Use SPDX if your vendor has provided you with a SPDX format SBOM.
- Select Browse to upload your SBOM from your workstation or drag the SBOM into the Endor Labs user interface.
Once you have imported your SBOM to Endor Labs, Endor Labs will schedule a scan in the background for the SBOM within the next few hours.
Import SBOMs through the Endor Labs CLI
Import an SBOM using the CLI to trigger an instant scan and immediately view vulnerabilities and dependency insights with the following command:
endorctl sbom import --sbom-file-path=/path/to/your/sbom.jsonendorctl sbom import --format=spdx --sbom-file-path=/path/to/your/sbom.jsonSee the SBOM import command for endorctl for more information.
Manage SBOMs
You can manage SBOMs by deleting unwanted files and editing tags for consistent search and filtering.
Delete an SBOM
- Select SBOM Hub from the left sidebar.
- Select one or more SBOMs to remove.
- Select the vertical three dots on the row, then select Delete SBOM.
Edit tags for an SBOM
Tags are keywords you attach to SBOMs to group and filter them, for example, by vendor or data classification. Tags can have a maximum of 63 characters and can contain letters A-Z, numbers (0-9), or any of (=@_.-) special characters.
To edit tags for SBOMs:
- Select SBOM Hub from the left sidebar.
- Select one or more SBOMs.
- Click Edit Tags in the top right-hand corner.
- Add, change, or remove tags, then save.
Tagging strategies for SBOMs
To improve your team’s ability to search and manage SBOMs, you can tag them as they are received. Tagging SBOMs helps your team understand the applications, vendors, and their importance to your business.
| Use Case | Rationale | Example Tags |
|---|---|---|
| Data Classification | Understand the kind of data a vendor or vendor application handles for you. | Classification_Restricted, Classification_HighlySensitive, Classification_Public |
| Vendor Name | Some SBOMs may lack vendor information. Be sure to label your SBOMs with vendor names for better vendor management. | Vendor_RedHat |
| Vendor Criticality | Tag your SBOMs according to your internal vendor tier strategy or if the vendor is considered critical. This will streamline regular SBOM reviews. | Critical_Vendor, Tier1_Vendor |