Use SOOS to scan and continually monitor external SBOMs as well as link these SBOMs as dependent-projects to existing SCA or Container projects that you might already have with SOOS.
- Scan your projects using SOOS SCA or Container scanning.
- Import/scan your SBOMs in either CycloneDX JSON or SPDX JSON format - this will create new projects for each unique SBOM you import.
- If the SBOMs you received do not have dependency information you can use SOOS to augment the SBOMs and determine the transitive dependencies. Set this setting under Configure.
- Configure your parent project to have a dependency on the SBOM project and rescan the parent project. The dependent project will now show in the dependency tree.
- To export a consolidated SBOMs of your parent project and all dependent projects browser to “Export” for the parent project and select “Include Dependent Projects”.
- The exported archive will now contain two SBOMs, one for the parent project and one for the dependent project and the parent project SBOM will contain a reference to the dependent project.