Tidelift has the ability to work with CycloneDX formatted software bills of materials (SBOMs). Working with CycloneDX formatted SBOMs allows for the option to import SBOMs generated from third party tools and/or those provided by vendors. Centralizing SBOMs in Tidelift provides a powerful way to understand and track your organization's software usage and risks.
A CycloneDX SBOM can be uploaded into Tidelift by doing either of the following:
- Performing an alignment in a directory containing a CycloneDX formatted SBOM with the Tidelift CLI
- Uploading a CycloneDX formatted SBOM into Tidelift via the Tidelift UI
Generating a CycloneDX formatted SBOM from docker
To generate a CycloneDX file by running docker (or for a vendor to create a CycloneDX file to send to your team), see https://github.com/anchore/syft#getting-started.
Uploading a CycloneDX formatted SBOM into the Tidelift UI
Alternatively, you can upload any other CycloneDX file (cyclonedx.json, cyclonedx.xml):
- Sign into Tidelift and click on Projects
- On the Projects page, select Create new project in the righthand corner
- After naming your project (Note: For CycloneDX formatted SBOMs, it must have the exact name of either: cyclonedx.json or cyclonedx.xml), select Next
- From the new dialogue window, you can upload your CycloneDX formatted SBOM via the Upload files button