SBOM
In this example you are going to create a sbomComponent blueprint that ingests all third party components in your sbom.json or sbom.xml file using a combination of Port's API and webhook functionality. You will then relate this blueprint to a sbomVulnerability blueprint, allowing you to map all the components affected by a security vulnerability.
To ingest the components and vulnerabilities to Port, a script that sends information about the SBOM file according to the webhook configuration is used.
Prerequisites​
Create the following blueprint definition and webhook configuration:
SBOM component blueprint
{
"identifier": "sbomComponent",
"description": "This blueprint represents an SBOM component in our software catalog",
"title": "SBOM Component",
"icon": "Package",
"schema": {
"properties": {
"name": {
"title": "Name",
"type": "string"
},
"version": {
"title": "Version",
"type": "string"
},
"package_url": {
"title": "Package URL",
"type": "string"
},
"external_references": {
"title": "External References",
"type": "array"
},
"licenses": {
"title": "Licenses",
"type": "array"
},
"type": {
"title": "Type",
"type": "string",
"default": "library",
"enum": [
"application",
"framework",
"library",
"container",
"platform",
"operating-system",
"device",
"device-driver",
"firmware",
"file",
"data",
"machine-learning-model"
]
},
"software_product": {
"title": "Software Product",
"type": "string"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"relations": {}
}
SBOM vulnerability blueprint
{
"identifier": "sbomVulnerability",
"description": "This blueprint represents an SBOM vulnerability in our software catalog",
"title": "SBOM Vulnerability",
"icon": "Package",
"schema": {
"properties": {
"description": {
"title": "Description",
"type": "string"
},
"reference": {
"title": "BOM Reference",
"type": "string"
},
"recommendation": {
"title": "Recommendation",
"type": "string"
},
"ratings": {
"title": "Ratings",
"type": "array"
},
"source": {
"title": "Source",
"type": "string"
},
"published": {
"title": "Published On",
"type": "string",
"format": "date-time"
},
"state": {
"title": "State",
"type": "string",
"default": "exploitable",
"enum": [
"resolved",
"resolved_with_pedigree",
"exploitable",
"in_triage",
"false_positive",
"not_affected"
],
"enumColors": {
"resolved": "green",
"resolved_with_pedigree": "lightGray",
"exploitable": "red",
"in_triage": "yellow",
"false_positive": "purple",
"not_affected": "green"
}
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"relations": {
"components": {
"title": "Components",
"target": "sbomComponent",
"required": false,
"many": true
}
}
}
SBOM webhook configuration
{
"identifier": "sbomMapper",
"title": "SBOM Mapper",
"description": "A webhook configuration to map SBOM components and vulnerabilities to Port",
"icon": "Package",
"mappings": [
{
"blueprint": "sbomComponent",
"itemsToParse": ".body.components",
"entity": {
"identifier": ".item.reference",
"title": ".item.name",
"properties": {
"version": ".item.version",
"package_url": ".item.purl",
"type": ".item.type",
"external_references": ".item.external_references",
"licenses": ".item.licenses",
"software_product": ".body.software_product + \"-\" + .body.software_version"
}
}
},
{
"blueprint": "sbomVulnerability",
"itemsToParse": ".body.vulnerabilities",
"entity": {
"identifier": ".item.id",
"title": ".item.id",
"properties": {
"description": ".item.description",
"reference": ".item.reference",
"recommendation": ".item.recommendation",
"ratings": ".item.ratings",
"source": ".item.source",
"published": ".item.published",
"state": ".item.state"
},
"relations": {
"components": ".item.affects"
}
}
}
],
"enabled": true,
"security": {}
}
note
Working with Port's API and Bash script​
Here are example snippets showing how to integrate Port's API and Webhook with your existing pipelines using Python and report SBOM entities from them:
- JSON
- XML
Create the following Python script in your repository to create or update Port entities as part of your pipeline:
Python script for CycloneDX JSON
import requests
import json
import os
WEBHOOK_URL = os.environ['WEBHOOK_URL'] ## the value of the URL you receive after creating the Port webhook
PATH_TO_SBOM_JSON_FILE = os.environ['PATH_TO_SBOM_JSON_FILE']
def add_entity_to_port(entity_object):
"""A function to create the passed entity in Port using the webhook URL
Params
--------------
entity_object: dict
The entity to add in your Port catalog
Returns
--------------
response: dict
The response object after calling the webhook
"""
headers = {"Content-Type": "application/json"}
response = requests.post(WEBHOOK_URL, json=entity_object, headers=headers)
return response.json()
def extract_sbom_data(sbom_file):
"""This function takes an sbom file path, converts the "components" and "vulnerabilities" property into a
JSON array and it then sends this data to Port
Params
--------------
sbom_file: str
The path to the sbom file relative to the project's root folder
Returns
--------------
response: dict
The response object after calling the webhook
"""
with open(sbom_file, 'r') as file:
sbom_data = json.load(file)
software_information = sbom_data["metadata"]["component"]
software_product = software_information.get("name", "")
software_version = software_information.get("version", "")
components = []
vulnerabilities = []
for component in sbom_data.get("components", []):
component_data = {
"type": component.get("type", ""),
"reference": component.get("bom-ref", ""),
"name": component.get("name", ""),
"version": component.get("version", ""),
"purl": component.get("purl", ""),
"external_references": component.get("externalReferences", []),
"licenses": [license_data.get("license", "") for license_data in component.get("licenses", [])]
}
components.append(component_data)
for vulnerability in sbom_data.get("vulnerabilities", []):
vulnerability_data = {
"id": vulnerability.get("id"),
"description": vulnerability.get("description", ""),
"reference": vulnerability.get("bom-ref", ""),
"recommendation": vulnerability.get("recommendation", ""),
"state": vulnerability.get("analysis", {}).get("state"),
"ratings": vulnerability.get("ratings", []),
"source": vulnerability.get("source", {}).get("name"),
"affects": [bom_component.get("ref", "") for bom_component in vulnerability.get("affects", [])],
"published": vulnerability.get("published", "")
}
vulnerabilities.append(vulnerability_data)
entity_object = {
"components": components,
"vulnerabilities": vulnerabilities,
"software_product": software_product,
"software_version": software_version
}
webhook_response = add_entity_to_port(entity_object)
return webhook_response
# Example usage
response = extract_sbom_data(PATH_TO_SBOM_JSON_FILE)
print(response)
Create the following Python script in your repository to create or update Port entities as part of your pipeline:
Python script for CycloneDX XML
import requests
import xml.dom.minidom
import os
WEBHOOK_URL = os.environ["WEBHOOK_URL"]
PATH_TO_SBOM_XML_FILE = os.environ["PATH_TO_SBOM_XML_FILE"]
def add_entity_to_port(entity_object):
"""A function to create the passed entity in Port using the webhook URL
Params
--------------
entity_object: dict
The entity to add in your Port catalog
Returns
--------------
response: dict
The response object after calling the webhook
"""
headers = {"Content-Type": "application/json"}
response = requests.post(WEBHOOK_URL, json=entity_object, headers=headers)
return response.json()
def extract_sbom_data(sbom_file):
"""This function takes an sbom file path, converts the "components" and "vulnerabilities" property into a
JSON array and it then sends this data to Port
Params
--------------
sbom_file: str
The path to the sbom file relative to the project's root folder
Returns
--------------
response: dict
The response object after calling the webhook
"""
xml_doc = xml.dom.minidom.parse(sbom_file)
# Get the metadata component element
metadata_component = xml_doc.getElementsByTagName("metadata")[0].getElementsByTagName("component")[0]
# Extract software name and version from the metadata component
software_product_name = metadata_component.getElementsByTagName("name")[0].firstChild.data.strip()
software_version = metadata_component.getElementsByTagName("version")[0].firstChild.data.strip()
# get all the components elements and extract details
sbom_components = []
components_element = xml_doc.getElementsByTagName('components')[0]
components = components_element.getElementsByTagName("component")
for component in components:
name = component.getElementsByTagName('name')[0].childNodes[0].data
bom_ref = component.getAttribute("bom-ref")
version = component.getElementsByTagName('version')[0].childNodes[0].data
component_type = component.getAttribute('type')
purl = component.getElementsByTagName('purl')[0].childNodes[0].data
licenses = component.getElementsByTagName("licenses")
external_references = component.getElementsByTagName("reference")
license_ids = []
for license_node in licenses:
license_id = license_node.getElementsByTagName("id")[0].firstChild.data.strip()
license_ids.append({"id": license_id})
external_reference_list = []
for reference in external_references:
reference_type = reference.getAttribute("type")
reference_url = reference.getElementsByTagName("url")[0].firstChild.data.strip()
external_reference_list.append({"type": reference_type, "url": reference_url})
sbom_components.append({
"type": component_type,
"reference": bom_ref,
"name": name,
"version": version,
"purl": purl,
"external_references": external_reference_list,
"licenses": license_ids
})
# Get the vulnerabilities element
vulnerabilities_element = xml_doc.getElementsByTagName("vulnerabilities")[0]
vulnerabilities = vulnerabilities_element.getElementsByTagName("vulnerability")
sbom_vulnerabilities = []
# Iterate over vulnerabilities and extract details
for vulnerability in vulnerabilities:
bom_reference = vulnerability.getAttribute("bom-ref")
vulnerability_id = vulnerability.getElementsByTagName("id")[0].firstChild.data.strip()
description = vulnerability.getElementsByTagName("description")[0].firstChild.data.strip()
recommendation = vulnerability.getElementsByTagName("recommendation")[0].firstChild.data.strip()
state = vulnerability.getElementsByTagName("state")[0].firstChild.data.strip()
source = vulnerability.getElementsByTagName("source")[0].getElementsByTagName("name")[0].firstChild.data.strip()
published = vulnerability.getElementsByTagName("published")[0].firstChild.data.strip()
ratings = vulnerability.getElementsByTagName("rating")
affects_target_refs = vulnerability.getElementsByTagName("target")
rating_list = []
for rating in ratings:
rating_source = rating.getElementsByTagName("source")[0].getElementsByTagName("name")[0].firstChild.data.strip()
rating_score = rating.getElementsByTagName("score")[0].firstChild.data.strip()
rating_severity = rating.getElementsByTagName("severity")[0].firstChild.data.strip()
rating_list.append({"source": rating_source, "score": rating_score, "severity": rating_severity})
affected_components = []
for target_ref in affects_target_refs:
ref = target_ref.getElementsByTagName("ref")[0].firstChild.data.strip()
affected_components.append(ref)
sbom_vulnerabilities.append({
"id": vulnerability_id,
"description": description,
"reference": bom_reference,
"recommendation": recommendation,
"state": state,
"ratings": rating_list,
"source": source,
"affects": affected_components,
"published": published
})
entity_object = {
"components": sbom_components,
"vulnerabilities": sbom_vulnerabilities,
"software_product": software_product_name,
"software_version": software_version
}
webhook_response = add_entity_to_port(entity_object)
return webhook_response
# Example usage
response = extract_sbom_data(PATH_TO_SBOM_XML_FILE)
print(response)