BlogOpen a Ticket
Guides
Start typing to search…

SBOM Radar Integration

SBOM Radar is one of the open-source tools available within Invicti ASPM. Its development is maintained by the Invicti team, and it operates by orchestrating other tools that are active within Invicti ASPM. The tool-specific configurations are described below.

The Trigger With option is used to define when the tool is activated. When the selected scan types (SAST, SCA, CS, or IaC) are completed, an SBOM list is generated using the selected Generator Tool. If no option is selected, SBOM generation is not triggered, and only SBOMs received via the CLI are synchronized.

In this section, the Inspector Tool and SBOM Format can also be selected. SBOM formats may produce different results depending on the programming language used. In some cases, changing the SBOM format can result in more accurate outputs for certain languages.

Once the configuration is completed, the settings can be saved and exited. Unlike other tools, there is no requirement to create a separate scan parameter.

If a category is selected under Trigger With, SBOM generation starts automatically immediately after the corresponding scans are completed.

Results

The SBOM components generated as a result of these scans can be reviewed at either the Global level or the Project level. Components that are shared across multiple projects can be monitored from the Global SBOM Components page.

SBOM Radar checks the listed components for known vulnerabilities at 12-hour intervals. Even if no new scan is performed, the latest component list is synchronized every 12 hours. If a vulnerability is introduced in a component during this period, it becomes visible in the system within 12 hours, even when projects are in a frozen state.

Alternatively, SBOM lists can be imported via the CLI instead of being generated automatically by the system. As Invicti ASPM, it is recommended that SBOMs be created during the build phase and then imported. This approach allows transitive dependencies to be included, resulting in a more accurate and complete SBOM.

To use this method, you must have the KDT tool installed and an Access Token belonging to a user with the Admin role.

KDT CLI can be download from: GitHub | KDT

An example command for importing an SBOM is shown below:

kdt sbom import -p {Project_name} -b {Branch_name} -f {SBOM_file_path}

The system assigns SBOM Import tags to SBOMs that are imported into the platform, and Source Code, Docker Image, or similar tags to SBOMs generated by tools such as Syft.

Updated about 9 hours ago