Anchore SBOM

Anchore SBOM supports uploading SBOMs in the following versions:

CycloneDX
• JSON: Versions 1.2 – 1.6
• XML: Versions 1.0 – 1.6

SPDX
• JSON: Versions 2.2 – 2.3
• Tag-Value: Versions 2.1 – 2.3
Syft SBOMs are exported in the following formats:
• SPDX v2.3
• CycloneDX v1.6

Anchore Enterprise generates SBOMs for containers as part of CI/CD, registry, or runtime scanning. This allows it to generate additional data about Dockerfile content, image content, and other metadata. This extra information can be used for additional scans for malware or secrets, or compliance checks as part of the Anchore Enforce module. SBOMs uploaded to the system for non-Anchore tools are scanned for vulnerability information only.

Anchore allows you to upload SBOMs generated by non-Anchore tools representing both codebases under your control (internal SBOMs) as well as third-party SBOMs provided to your organization by partners, contractors, and upstream suppliers. These SBOMs represent assets not available for Anchore scanning and allow unification of security information between artifacts scanned by Anchore and those represented by uploaded SBOMs.

Uploaded SBOMs are both stored for future use and analyzed for both quality and content, and provide the following information:

• SBOM document information
• An assessment of the overall SBOM quality
• SBOM contents (packages)
• Associated security vulnerabilities

The SBOM quality checks are based on the following criteria:

• Valid and supported SBOM format
• Valid and supported SBOM schema
• Content check for required elements

SBOM groups allow for organizing multiple SBOMs into a logical set. An SBOM group may represent a business unit, product team, application, sub-module, or an arbitrary set of SBOMs. SBOM groups also allow a rollup of all overall quality and security vulnerabilities across the constituent SBOMs.

The Anchore Score is a computed composite security index that provides a numeric value for each vulnerability in the system. It is derived from a combination of the CVSS score, vulnerability severity, EPSS percentile, and KEV status, but can also factor in additional data. Currently, the CVSS score & vulnerability severity, EPSS percentile, and KEV status are equally weighted. The Anchore Score is used to generate the Anchore Rank value indicating the relative importance of a given vulnerability within a particular set of vulnerabilities defined by an SBOM Group or individual SBOM context. This ordering helps users focus on the most critical issues for efficient security analysis and remediation planning.

Anchore SBOM is included in all Anchore Enterprise subscriptions.