SPDX Application Analysis
Sonatype Lifecycle can analyze SBOMs in SPDX v2.3 format. Beginning with IQ Server version 192, it also supports SPDX v2.2.
Note
Sonatype Lifecycle does not currently support all SPDX license expressions. When such expressions are present, Lifecycle may be unable to interpret the combined license expression and may instead evaluate the license identifiers individually. In this case, analysis results and reports may list individual licenses rather than the combined SPDX expression.
Analyzing an SBOM
Any Sonatype scanner and most of the integrations will analyze SBOMs found in the root context of the application scan target when using the naming format listed below in the Identification Source section.
SBOMs may be targeted directly using the command line scanner (CLI), by uploading to the user interface, or by scripting using the Third-Party Scan REST API.
Any application scan may be exported as an SBOM in the CycloneDX and SPDX formats. Learn about more SBOM use cases from our SBOM guide.
Identification Source
The SPDX format can be used as an Identification Source in the Application Composition Report. Lifecycle scanners automatically incorporate discovered SPDX SBOMs in the following patterns.
spdx.xml
spdx.json
When no source is provided through the API or using the above filename prefix, "Third Party" is used as the Identification Source in the Application Composition Report.
Component Identifiers, Package URL, and SHA-1 Hash
For packages declared in an SPDX file, scanners use the following priority when identifying components. An example of each is included below.
Package-URL (PURL)
SHA-1 Hashes
Component Identifiers (i.e. name, version)
Note
Note: In the unlikely case of the same component being found more than once in the SBOM, only the data of the first component will be processed/shown.
Dependency Relationships
The SPDX v2.2 and v2.3 formats can include an optional Relationships section that lists package, file, or snippet dependencies. When present, Lifecycle scanners read all known relationship types to include the information in the scan report and build the dependency tree.
Note
The supported SPDX input formats for Application Analysis are JSON (.spdx.json) and XML (.spdx.xml). Other file types or extensions are not supported at this time.
Application Reports
In addition to using SPDX application analysis, you can export application composition reports from Lifecycle to SPDX SBOM in the following ways:
The Options Dropdown from the Scan Report
Use the SPDX REST API
<?xml version='1.0' encoding='UTF-8'?>
<Document>
<SPDXID>SPDXRef-DOCUMENT</SPDXID>
<spdxVersion>SPDX-2.3</spdxVersion>
<creationInfo>
<created>2023-08-21T16:49:07Z</created>
<creators>Tool: Sonatype IQ Server - 1.166.0</creators>
</creationInfo>
<name>pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b</name>
<dataLicense>CC0-1.0</dataLicense>
<hasExtractedLicensingInfos>
<licenseId>LicenseRef-No-Sources</licenseId>
<extractedText>No-Sources</extractedText>
</hasExtractedLicensingInfos>
<hasExtractedLicensingInfos>
<licenseId>LicenseRef-Not-Declared</licenseId>
<extractedText>Not-Declared</extractedText>
</hasExtractedLicensingInfos>
<documentNamespace>http://localhost:8070/ui/links/application/test-app-01/report/ea08930a666041bbbee8c9f6c0e7951b</documentNamespace>
<packages>
<SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/org.apache.logging.log4j/[email protected]?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>org.apache.logging.log4j:log4j-api</name>
<versionInfo>2.16.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<externalRefs>
<comment>source: SONATYPE</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://localhost:8070/ui/links/vln/sonatype-2022-6438</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>(Apache-2.0 AND MIT)</licenseConcluded>
<licenseDeclared>(Apache-2.0 AND MIT)</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-core</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-databind</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/org.apache.logging.log4j/[email protected]?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>org.apache.logging.log4j:log4j-core</name>
<versionInfo>2.16.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-annotations</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.sonatype.testing-test-app-1.0.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.sonatype.testing/[email protected]?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>(LicenseRef-No-Sources AND LicenseRef-Not-Declared)</licenseConcluded>
<licenseDeclared>(LicenseRef-No-Sources AND LicenseRef-Not-Declared)</licenseDeclared>
<name>com.sonatype.testing:test-app</name>
<versionInfo>1.0.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>NOASSERTION</licenseConcluded>
<licenseDeclared>NOASSERTION</licenseDeclared>
<name>sonatype:iq_application_Test App 01</name>
<versionInfo>ea08930a666041bbbee8c9f6c0e7951b</versionInfo>
</packages>
<relationships>
<spdxElementId>SPDXRef-DOCUMENT</spdxElementId>
<relationshipType>DESCRIBES</relationshipType>
<relatedSpdxElement>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</relatedSpdxElement>
</relationships>
</Document>{
"SPDXID": "SPDXRef-DOCUMENT",
"spdxVersion": "SPDX-2.3",
"creationInfo": {
"created": "2023-08-21T16:46:39Z",
"creators": [
"Tool: Sonatype IQ Server - 1.166.0"
]
},
"name": "pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b",
"dataLicense": "CC0-1.0",
"hasExtractedLicensingInfos": [
{
"licenseId": "LicenseRef-No-Sources",
"extractedText": "No-Sources"
},
{
"licenseId": "LicenseRef-Not-Declared",
"extractedText": "Not-Declared"
}
],
"documentNamespace": "http://localhost:8070/ui/links/application/test-app-01/report/ea08930a666041bbbee8c9f6c0e7951b",
"packages": [
{
"SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/org.apache.logging.log4j/[email protected]?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "org.apache.logging.log4j:log4j-api",
"versionInfo": "2.16.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar",
"referenceType": "purl"
},
{
"comment": "source: SONATYPE",
"referenceCategory": "SECURITY",
"referenceLocator": "http://localhost:8070/ui/links/vln/sonatype-2022-6438",
"referenceType": "advisory"
}
],
"filesAnalyzed": false,
"licenseConcluded": "(Apache-2.0 AND MIT)",
"licenseDeclared": "(Apache-2.0 AND MIT)",
"name": "com.fasterxml.jackson.core:jackson-core",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "com.fasterxml.jackson.core:jackson-databind",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105",
"referenceType": "advisory"
},
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832",
"referenceType": "advisory"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/org.apache.logging.log4j/[email protected]?type=jar",
"referenceType": "purl"
},
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228",
"referenceType": "advisory"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "org.apache.logging.log4j:log4j-core",
"versionInfo": "2.16.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "com.fasterxml.jackson.core:jackson-annotations",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-com.sonatype.testing-test-app-1.0.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.sonatype.testing/[email protected]?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "(LicenseRef-No-Sources AND LicenseRef-Not-Declared)",
"licenseDeclared": "(LicenseRef-No-Sources AND LicenseRef-Not-Declared)",
"name": "com.sonatype.testing:test-app",
"versionInfo": "1.0.0"
},
{
"SPDXID": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"name": "sonatype:iq_application_Test App 01",
"versionInfo": "ea08930a666041bbbee8c9f6c0e7951b"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b"
},
{
"spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0"
},
{
"spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0"
},
{
"spdxElementId": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0"
},
{
"spdxElementId": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0"
},
{
"spdxElementId": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0"
}
]
}<?xml version='1.0' encoding='UTF-8'?>
<Document>
<SPDXID>SPDXRef-DOCUMENT</SPDXID>
<spdxVersion>SPDX-2.2</spdxVersion>
<creationInfo>
<created>2024-07-29T17:43:25Z</created>
<creators>Tool: Sonatype SBOM Manager - 1.180.0-SNAPSHOT</creators>
</creationInfo>
<name>webgoat</name>
<dataLicense>CC0-1.0</dataLicense>
<hasExtractedLicensingInfos>
<licenseId>LicenseRef-Not-Declared</licenseId>
<extractedText>Extracted license created by Sonatype SBOM Manager</extractedText>
<name>Not Declared</name>
</hasExtractedLicensingInfos>
<hasExtractedLicensingInfos>
<licenseId>LicenseRef-See-License-Clause</licenseId>
<extractedText>Extracted license created by Sonatype SBOM Manager</extractedText>
<name>See-License-Clause</name>
</hasExtractedLicensingInfos>
<documentNamespace>nullui/links/sbomManager/management/view/application/webgoat/bom/v1</documentNamespace>
<packages>
<SPDXID>SPDXRef-32dd9982-7edc-4cde-85f6-8946cabca003</SPDXID>
<attributionTexts>Evidence license text for: (Apache-1.1 AND MIT AND Aladdin)</attributionTexts>
<copyrightText>NOASSERTION</copyrightText>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/log4j/[email protected]?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<externalRefs>
<comment>source: SOURCE</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://www.source.com/abc-123</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<comment>source: SONATYPE</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://localhost:8070/ui/links/vln/sonatype-2010-0053</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23307</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>NOASSERTION</licenseConcluded>
<licenseDeclared>Apache-1.1</licenseDeclared>
<name>log4j:log4j</name>
<versionInfo>1.2.8</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-e6a49891-d1d5-4358-8688-b5a03a546f90</SPDXID>
<copyrightText>NOASSERTION</copyrightText>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<comment>source: SONATYPE</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://localhost:8070/ui/links/vln/sonatype-2015-0002</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/commons-collections/[email protected]?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>NOASSERTION</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>commons-collections:commons-collections</name>
<versionInfo>3.1</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-333584e5-0101-4a21-8f5b-61b10926cf3c</SPDXID>
<copyrightText>NOASSERTION</copyrightText>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/commons-digester/[email protected]?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>NOASSERTION</licenseConcluded>
<licenseDeclared>(Apache-1.1 AND LicenseRef-Not-Declared)</licenseDeclared>
<name>commons-digester:commons-digester</name>
<versionInfo>1.4.1</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-85e600ff-6842-4b60-bbc5-56a45e3a357c</SPDXID>
<copyrightText>NOASSERTION</copyrightText>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>cpe:/a:commons-discovery:commons-discovery:0.2</referenceLocator>
<referenceType>cpe22Type</referenceType>
</externalRefs>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/commons-discovery/[email protected]?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>NOASSERTION</licenseConcluded>
<licenseDeclared>(Apache-1.1 AND LicenseRef-Not-Declared)</licenseDeclared>
<name>commons-discovery:commons-discovery</name>
<versionInfo>0.2</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-0cd0109c-4389-4c65-b95a-1d3b552d902a</SPDXID>
<copyrightText>NOASSERTION</copyrightText>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/commons-logging/[email protected]?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<externalRefs>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>cpe:2.3:a:commons-logging:commons-logging:1.0.4:*:*:*:*:*:*:*</referenceLocator>
<referenceType>cpe23Type</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>NOASSERTION</licenseConcluded>
<licenseDeclared>(LicenseRef-See-License-Clause AND Apache-2.0)</licenseDeclared>
<name>commons-logging:commons-logging</name>
<versionInfo>1.0.4</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-c9f3c210-670e-41c0-993b-af8a7768f25b</SPDXID>
<copyrightText>NOASSERTION</copyrightText>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:generic/sonatype/iq_application_webgoat@218214e0852748659076521b3b8ee137</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>NOASSERTION</licenseConcluded>
<licenseDeclared>NOASSERTION</licenseDeclared>
<name>sonatype:iq_application_webgoat</name>
<versionInfo>218214e0852748659076521b3b8ee137</versionInfo>
</packages>
<relationships>
<spdxElementId>SPDXRef-DOCUMENT</spdxElementId>
<relationshipType>DESCRIBES</relationshipType>
<relatedSpdxElement>SPDXRef-c9f3c210-670e-41c0-993b-af8a7768f25b</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-333584e5-0101-4a21-8f5b-61b10926cf3c</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-e6a49891-d1d5-4358-8688-b5a03a546f90</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-333584e5-0101-4a21-8f5b-61b10926cf3c</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-0cd0109c-4389-4c65-b95a-1d3b552d902a</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-85e600ff-6842-4b60-bbc5-56a45e3a357c</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-0cd0109c-4389-4c65-b95a-1d3b552d902a</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-c9f3c210-670e-41c0-993b-af8a7768f25b</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-85e600ff-6842-4b60-bbc5-56a45e3a357c</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-c9f3c210-670e-41c0-993b-af8a7768f25b</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-333584e5-0101-4a21-8f5b-61b10926cf3c</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-c9f3c210-670e-41c0-993b-af8a7768f25b</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-32dd9982-7edc-4cde-85f6-8946cabca003</relatedSpdxElement>
</relationships>
</Document>Analysis using the Jenkins plugin
By default, the Jenkins plugin will not evaluate SPDX files. A custom Scan Target will be required to analyze the SPDX SBOM.
Example Pipeline Script with Scan Patterns
nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/*.spdx.xml'], [scanPattern: '**/*.spdx.json']], iqStage: 'build'
Analysis using the Bamboo plugin
Scan Targets in Bamboo control what files are analyzed. To evaluate SPDX SBOM, add spdx.xml or spdx.json to the scan targets via a comma-separated list e.g.
Example Bamboo Scan Patterns
**/*.spdx.xml,**/*.spdx.json