Use SOOS to scan and continually monitor external SBOMs as well as link these SBOMs as dependent-projects to existing SCA or Container projects that you might already have with SOOS.

  1. Scan your projects using SOOS SCA or Container scanning.
  2. Import/scan your SBOMs in either CycloneDX JSON or SPDX JSON format - this will create new projects for each unique SBOM you import.

  3. If the SBOMs you received do not have dependency information you can use SOOS to augment the SBOMs and determine the transitive dependencies. Set this setting under Configure.
  4. Configure your parent project to have a dependency on the SBOM project and rescan the parent project. The dependent project will now show in the dependency tree.

  5. To export a consolidated SBOMs of your parent project and all dependent projects browser to “Export” for the parent project and select “Include Dependent Projects”.


  6. The exported archive will now contain two SBOMs, one for the parent project and one for the dependent project and the parent project SBOM will contain a reference to the dependent project.