SBOM Generation
Introduction
When building a Mendix app, you use many reusable components such as Widgets and Marketplace modules, which make use of components such as Java libraries and npm modules. You can also extend your own app with Java and JavaScript actions and base them on Java libraries and npm modules. You should know what you use in your app, what other components they are dependent on, and what licenses they make use of. Over time, these components may become outdated or vulnerable, so it is important to have this information in a ready-to-use, standard format. Studio Pro does this by generating a Software Bill of Materials (SBOM) based on the standardized CycloneDX format.
Generating an SBOM
You can generate an SBOM by using either of the following options:
-
mxbuild --java-home="C:\Program Files\Eclipse Adoptium\jdk-11.0.16.101-hotspot" --java-exe-path="C:\Program Files\Eclipse Adoptium\jdk-11.0.16.101-hotspot\bin\java.exe" --generate-sbom "C:\Mendix\MyApp\MyApp.mpr"
-
Menu option App -> Tools -> Generate Bill of Materials in Studio Pro version 10.18 and above.
Both of these generate an sbom.json
file in the deployment folder of your package .mda
. Bundling the SBOM together with your deployment ensures that the SBOM represents the components that were present during the build.
SBOM Format
The SBOM is based on the CycloneDX 1.4 JSON format. This includes required fields, and information such as version
and description
. To identify the components from different package managers, the purl
field is used. The content follows the specification defined at https://github.com/package-url/purl-spec
. This includes Mendix marketplace modules and widgets, npm packages, and Java libraries.
Example Output
Since a full SBOM contains all project details, this is only a partial representation of a full example. To simplify, below is one of the Java libraries that is packaged. The dependencies
field will contain the dependency relationship from Mendix Marketplace Modules to npm modules and Java libraries.
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:d1a93219-d2fb-4282-9cc8-b591f85e0551",
"version": 1,
"metadata": { },
"components":
{
"type": "framework",
"bom-ref": "urn:uuid:5371eb81-0997-48a0-ad0a-1a3012bf87cb",
"author": "",
"publisher": "",
"name": "Mendix-Runtime",
"version": "10.10.0.34429",
"licenses": [],
"copyright": "",
"purl": "pkg:mendix/Mendix-Runtime@10.10.0.34429?type=framework",
"components": []
},
{
"type": "library",
"bom-ref": "pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar",
"group": "com.google.guava",
"name": "guava",
"version": "32.0.1-jre",
"description": "Guava is a suite of core and expanded libraries that include utility classes, Google\u0027s collections, I/O classes, and much more.",
"licenses": [
{
"license": {
"id": "Apache-2.0"
}
}
],
"purl": "pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar",
"modified": false
},
"externalReferences": [],
"dependencies": []
}
Supported Features
The table below describes what components are currently covered in the generated SBOM, and from what version. It is recommended to use version 10.10
, 9.24.22
, or 10.6.9
and above.
Feature | Description | Version |
---|---|---|
Mendix Modules | 9.24.14 , 10.4.0 |
Mendix Modules imported from the Marketplace. This does not include Add-on Modules, Solutions, Extensions, or manually imported modules. |
Java Dependencies | 9.24.14 , 10.4.0 |
Java libraries imported into your project using Managed Dependencies, or those manually added in the userlib folder. Libraries added through managed dependencies will have access to information of the package manager and will include more details, such as the used license. |
Widgets | 10.9.0 , 10.6.6 , 10.10.0 , 9.24.18 |
User interface elements downloaded from the Marketplace, such as drop-downs or buttons. |
JavaScript Actions(/refguide/javascript-actions/) | 10.10 |
npm libraries that are used in your JavaScript actions. |