SBOM manager is unable to output the vulnerabilities when a list of components in cyclonedx XML format with license and version info but without any vulnerabilities is imported into SBOM Manager. Received the message "scan completed message", but no vulnerabilities (0), are found.
Details
This is an expected behaviour and the SBOM Manager acts only as a "reader" for CycloneDX/and other SBOM imports without adding/scanning vulnerabilities.
CAST SBOM Manager is a complementary product to CAST Highlight dedicated to
Software Composition Analysis (SCA) and Bill of Materials (SBOM) management. CAST SBOM Manager is designed to facilitate the following use cases:
- Enhance SBOM reviews and documentation by recording user modifications (e.g.,
choice of a license for a dual-licensed component, internal component reviews, etc.)
and retrieving this metadata for future SBOMs. - Cataloguing and identification of proprietary components (i.e., developed in house)
to automatically detect them along with their metadata (custom licenses, copyright
information, etc.) in future SBOMs
So when doing an import, the SBOM manager is only getting data from the files that are being imported for enhancing/cataloguing as described above.
If the files that were imported do not include any vulnerability or other information, what that can be seen is basically the full contents of the file.
Instead try to import into CAST Highlight itself. See this article for details: SBOM Import : Learn how to import SBOMs (Software Bill of Materials) into CAST Highlight.
As an example, a proper file exported from CAST Highlight, is shown below with the vulnerabilities detected.
NB:
The source file that should be read by SBOM Manager should be located in the C folder.
Ticket
50564, 51456
Related Articles/Documents
CAST SBOM Manager UserGuide.pdf
Additional Resources
CAST Highlight Troubleshooting Guides
CAST Highlight Product Documentation
Comments