Skip to content

Latest commit

 

History

History
108 lines (67 loc) · 3.06 KB

add_data.md

File metadata and controls

108 lines (67 loc) · 3.06 KB
Raw

Add data

This topic describes how to add Software Bill of Materials (SBoM) files to the database to understand your dependencies by querying. For instructions on querying, see Query Data.

Methods

Add data by posting CycloneDX files using the following methods:

Supported Formats

Currently, only CycloneDX XML files are accepted.

For example, additional format support is planned for future releases, for example, SPDX and CycloneDX JSON.

Generate a CycloneDX File

A CycloneDX file is needed to post data. CycloneDX files can be generated using many tools. This topic uses Grype. Additional tools can be found on the CycloneDX Tool Center.

To use Grype to scan an image and generate an image report in CycloneDX format:

  1. Run:

    grype REPO:TAG -o cyclonedx > IMAGE-CVE-REPORT

    Where:

    • REPO is the name of your repository
    • TAG is the name of a tag
    • IMAGE-CVE-REPORT is the resulting file name of the Grype image scan report

    For example:

    $ grype docker.io/checkr/flagr:1.1.12 -o cyclonedx > image-cve-report
 ✔ Vulnerability DB        [updated]
 ✔ Parsed image
 ✔ Cataloged packages      [21 packages]
 ✔ Scanned image           [8 vulnerabilities]

Add Data with the Insight CLI

Use the following commands to add data:

  • image create
  • source create

Use insight -h in the terminal or see CLI details for more information.

Example #1: Create an Image Report

To use a CycloneDX-formatted image report:

  1. Run:

    insight image create --cyclonedxtype TYPE --path IMAGE-CVE-REPORT

    Where:

    • TYPE specifies XML or JSON, the two supported file types
    • IMAGE-CVE-REPORT is the location of a Cyclone DX formatted file

    For example:

    $ insight image create --cyclonedxtype xml --path downloads/image-cve-report
Image report created.

Note: The Metadata Store only stores a subset of CycloneDX file data. Support for more data might be added in the future.

Example #2: Create a Source Report

To use a CycloneDX-formatted source report:

  1. Run:

    insight source create --cyclonedxtype TYPE --path SOURCE-CVE-REPORT

    Where:

    • TYPE specifies XML or JSON, the two supported file types
    • SOURCE-CVE-REPORT is the location of a Cyclone DX formatted file

    For example:

    $ insight source create --cyclonedxtype json --path source-cve-report
Source report created.

Note: The Metadata Store only stores a subset of a CycloneDX file’s data. Support for more data might be added in the future.