Feature request: ingest BOM report from Cyclonedx

We’ve been using the CycloneDX maven plugin and CycloneDX gradle plugin with good results. I’m thinking the output bom.xml could be imported by our subsequent sonar analysis in the CI pipeline.

What sort of checks would you be wanting to run against the SBOM?

1 Like

The main thing that I would use on the regular basis is the search on the modules - if Sonarqube is able to answer which projects have the dependency module A of version 1.2.3 - it would be ideal

If I read between the lines, I believe you would expect SonarQube to ingest SBOM files so that then you can search if one of your projects (or your Applications, or Portfolios) is impacted by a dependency “A” v1.2.3 that is known to contain a vulnerability. This is what I’m calling Impact Analysis.

Am I correct?

1 Like

Butting in :slight_smile: : as someone quite new to devsecops, that would be one of my use cases. Another would be (if this is possible) to see what full chain of dependencies would be affected by resolving such a security issue. For instance, “updating Django to 4.0.8 would require updating these 10 other packages, but would break compatibility with this other package”. (I don’t know if an SBOM generation tool would include quite that depth of info.) The process for carefully updating pinned versions in a requirements.pip file can get tedious when one has a bunch of projects.