This topic describes how add Software Bill of Materials (SBoM) files to the database to understand your dependencies by querying. For instructions on querying, see Querying Data.
Add data by posting CycloneDX files using the following methods:
Currently, only CycloneDX XML files are accepted.
Additional format support, for example, SPDX and CycloneDX JSON, is planned for future releases
To use Grype to scan an image and generate an image report in CycloneDX format:
grype REPO:TAG -o cyclonedx > IMAGE-CVE-REPORT
REPOis the name of your repository.
TAGis the name of a tag.
IMAGE-CVE-REPORTis the resulting file name of the Grype image scan report
$ grype docker.io/checkr/flagr:1.1.12 -o cyclonedx > image-cve-report ✔ Vulnerability DB [updated] ✔ Parsed image ✔ Cataloged packages [21 packages] ✔ Scanned image [8 vulnerabilities]
Use the following commands to add data:
To use an CycloneDX-formatted image report:
insight image create --cyclonedx IMAGE-CVE-REPORT
IMAGE-CVE-REPORT is the name of a Cyclone DX formatted file.
$ insight image create --cyclonedx image-cve-report Image report created.
Note: The Metadata Store only stores a subset of a CycloneDX file data. Support for more data might be added in the future.
To use an CycloneDX-formatted source report:
insight source create --cyclonedx SOURCE-CVE-REPORT
SOURCE-CVE-REPORT is the name of a Cyclone DX formatted file.
$ insight source create --cyclonedx source-cve-report Source report created.
Note: The Metadata Store only stores a subset of a CycloneDX file’s data. Support for more data might be added in the future.