SBOM Report in CycloneDX Format
| • | Regular Cyclone DX Version |
| • | CycloneDX VDR Version |
| • | CycloneDX VEX Version |
The following is an excerpt from an example SBOM report in regular CycloneDX format (.xml).
The CycloneDX VDR Version and CycloneDX VEX Version reports provide details about the security vulnerabilities associated with the SBOM parts in the bucket.
The CycloneDX VDR (Vulnerability Disclosure Report) provides details for all security vulnerabilities (including vulnerability exclusions) associated with SBOM parts in the bucket. The report is organized by vulnerability and, for a given vulnerability, identifies the parts with which vulnerability is associated (along with providing other details). The following shows an excerpt from an example VDR.
The CycloneDX VEX Version provides additional details about each vulnerability exclusion.
The CycloneDX VEX (Vulnerability Exploitability eXchange) report provides details for vulnerability exclusions—that is, those vulnerabilities that are associated SBOM parts but, after your analysis, do not pose a security threat to your application code. Each exclusion listed in the report identifies the SBOM part with which the vulnerability is associated and includes an analysis section describing why vulnerability is not an exploit risk based on the context in which the part is used in the code.
The following is an excerpt from an example VEX report. The analysis section is highlighted in red.
