Exports and Reports
The Export view provides the ability to generate data exports and reports for a project. This includes SBOMs, VEX documents, SARIF output, HTML, and CSV reports.
Some options are only available if you have the SBOM Export add on.
To export scans other than the most recent, locate the scan on the History tab, then select the export icon.
Use the export format and file type to determine the type of report and file format to use. Only valid formats for the selected scan will be shown.
Reports available to all SOOS subscriptions in HTML and CSV file formats.
SCA, SBOM, and Container Scans
- SOOS Packages - Package ID, version, and link to package details for all packages in the given project.
- SOOS Licenses - License name, SPDX ID, link to license details, and full license text for all licenses in the given project.
DAST and SAST Scans
- SOOS Issues - Issue severity and title (with CWE ID) for all web vulnerabilities in the given project.
Additional Reports and Exports available to SOOS subscriptions including SBOM Manager and SBOM Export, in various formats.
SCA, SBOM, and Container Scans
- SPDX SBOM (export as Json or Text)
- CycloneDX SBOM (VEX details included) (export as Json or XML)
- CSAF VEX document (export as Json)
- SARIF (export as Json)
- SOOS Issues (export as HTML or CSV)
- SOOS Vulnerabilities (export as HTML or CSV) - Severity, CVE ID, affected package, and link to more information for all vulnerabilities in the given project.
SBOM exports have additional options that may be specified.
Include Dependent Projects - include dependent projects as additional SBOMs linked to the main projects SBOM. Learn more about Dependent Projects.
Include Vulnerabilities - disabled by default, select this to include vulnerability and attestation details in your SBOMs.
Include Original SBOM(s) - for SBOM scans, you may optionally include a copy of the original SBOM that was scanned by SOOS along with the new SBOM. Some differences between the two may include updated vulnerability information, document metadata, external SBOM references, improved dependency information, and attestations.
All SOOS reports are generated asynchronously, depending on the type of report and options selected it may take a few minutes to generate. You may proceed with other actions in the SOOS UI, once the report is ready you will be notified in the sidebar. Click the export in the pop-out to be brought back to the export page. From there you may click the export link at the bottom of the page to initiate the download.
SOOS supports CLI Exports from any of the SOOS scripts, using the --exportFormat and --exportFileType parameters (refer to the integration documentation for more details).
When specifying the export parameters, the specified report will be generated and the downloaded. This is an easy way to attach details to a CI/CD system for each scan that was run.
Generating reports will add additional time to the script execution so be aware that using this option with a CI/CD system will increase the build time.
