sbom-analyzer
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSBOM Security Analyzer
SBOM安全分析器
Analyze Software Bill of Materials to identify vulnerabilities in declared components for third-party risk management and compliance workflows.
Core Principle: Know what's in your software supply chain.
分析软件物料清单(SBOM),识别已声明组件中的漏洞,用于第三方风险管理和合规流程。
核心原则:了解软件供应链中的内容。
Quick Start
快速开始
1. Receive or locate SBOM file (CycloneDX or SPDX)
2. Validate SBOM format and completeness
3. Run mcp_snyk_snyk_sbom_scan for vulnerability analysis
4. Generate risk report with prioritized findings
5. Provide remediation guidance1. 接收或定位SBOM文件(CycloneDX或SPDX格式)
2. 验证SBOM格式和完整性
3. 运行mcp_snyk_snyk_sbom_scan进行漏洞分析
4. 生成包含优先级发现的风险报告
5. 提供修复指导Supported SBOM Formats
支持的SBOM格式
| Format | Versions | File Extension |
|---|---|---|
| CycloneDX | 1.4, 1.5, 1.6 | |
| SPDX | 2.3 | |
Note: requires Package URLs (purls) in the SBOM for component identification.
mcp_snyk_snyk_sbom_scan| 格式 | 版本 | 文件扩展名 |
|---|---|---|
| CycloneDX | 1.4, 1.5, 1.6 | |
| SPDX | 2.3 | |
注意:需要SBOM中的Package URLs(purls)来识别组件。
mcp_snyk_snyk_sbom_scanPhase 1: SBOM Validation
第一阶段:SBOM验证
Goal: Ensure the SBOM is valid and complete before analysis.
目标:在分析前确保SBOM有效且完整。
Step 1.1: Identify SBOM Format
步骤1.1:识别SBOM格式
Check the file structure:
CycloneDX Indicators:
json
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"components": [...]
}SPDX Indicators:
json
{
"spdxVersion": "SPDX-2.3",
"SPDXID": "SPDXRef-DOCUMENT",
"packages": [...]
}检查文件结构:
CycloneDX标识:
json
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"components": [...]
}SPDX标识:
json
{
"spdxVersion": "SPDX-2.3",
"SPDXID": "SPDXRef-DOCUMENT",
"packages": [...]
}Step 1.2: Validate Completeness
步骤1.2:验证完整性
Check for required elements:
| Element | CycloneDX | SPDX | Required |
|---|---|---|---|
| Format version | | | Yes |
| Component list | | | Yes |
| Package URLs | | | Yes* |
| Licenses | | | Recommended |
| Checksums | | | Recommended |
* Package URLs are required for Snyk to identify vulnerabilities.
检查必填元素:
| 元素 | CycloneDX | SPDX | 是否必填 |
|---|---|---|---|
| 格式版本 | | | 是 |
| 组件列表 | | | 是 |
| Package URLs | 组件中的 | | 是* |
| 许可证 | | | 推荐 |
| 校验和 | | | 推荐 |
* Package URLs是Snyk识别漏洞所必需的。
Step 1.3: Report Validation Issues
步骤1.3:报告验证问题
If SBOM is incomplete, produce a report in this format:
undefined如果SBOM不完整,按以下格式生成报告:
undefinedSBOM Validation Results
SBOM验证结果
File: supplier-sbom.json
Format: CycloneDX 1.5
文件:supplier-sbom.json
格式:CycloneDX 1.5
Issues Found
发现的问题
| Issue | Severity | Count |
|---|---|---|
| Missing purl | Error | 15 components |
| Missing license | Warning | 8 components |
| Missing checksum | Info | 23 components |
| 问题 | 严重程度 | 数量 |
|---|---|---|
| 缺少purl | 错误 | 15个组件 |
| 缺少许可证 | 警告 | 8个组件 |
| 缺少校验和 | 信息 | 23个组件 |
Components Without purl (Cannot Scan)
无purl的组件(无法扫描)
- component-a (no package URL)
- component-b (no package URL)
Recommendation: Request updated SBOM from supplier with package URLs.
---- component-a(无Package URL)
- component-b(无Package URL)
建议:向供应商请求包含Package URLs的更新版SBOM。
---Phase 2: Security Scan
第二阶段:安全扫描
Goal: Identify vulnerabilities in SBOM components.
目标:识别SBOM组件中的漏洞。
Step 2.1: Run SBOM Scan
步骤2.1:运行SBOM扫描
Call the tool directly:
mcp_snyk_snyk_sbom_scan(file="path/to/sbom.json", severity_threshold="medium")直接调用工具:
mcp_snyk_snyk_sbom_scan(file="path/to/sbom.json", severity_threshold="medium")Step 2.2: Organization-Scoped Scan
步骤2.2:组织范围扫描
To apply org-specific policies:
mcp_snyk_snyk_sbom_scan(file="path/to/sbom.json", org="<org-id>", severity_threshold="high")要应用组织特定策略:
mcp_snyk_snyk_sbom_scan(file="path/to/sbom.json", org="<org-id>", severity_threshold="high")Phase 3: Risk Analysis
第三阶段:风险分析
Goal: Generate a comprehensive risk report from scan results.
Produce a single consolidated report covering summary, critical findings, and an overall risk score:
undefined目标:从扫描结果生成全面的风险报告。
生成一份整合报告,涵盖摘要、关键发现和整体风险评分:
undefinedSBOM Security Analysis
SBOM安全分析
Overview
概述
| Metric | Value |
|---|---|
| Total Components | 156 |
| Components Scanned | 141 |
| Components Skipped | 15 (missing purl) |
| Vulnerable Components | 23 |
| Total Vulnerabilities | 47 |
| 指标 | 数值 |
|---|---|
| 组件总数 | 156 |
| 已扫描组件 | 141 |
| 已跳过组件 | 15个(缺少purl) |
| 存在漏洞的组件 | 23 |
| 漏洞总数 | 47 |
Severity Breakdown
严重程度分布
| Severity | Count |
|---|---|
| Critical | 3 |
| High | 12 |
| Medium | 18 |
| Low | 14 |
| 严重程度 | 数量 |
|---|---|
| 关键 | 3 |
| 高 | 12 |
| 中 | 18 |
| 低 | 14 |
Critical Vulnerabilities
关键漏洞
| Component | Version | CVE | CVSS | Exploited |
|---|---|---|---|---|
| log4j-core | 2.14.1 | CVE-2021-44228 | 10.0 | Yes |
| spring-core | 5.3.17 | CVE-2022-22965 | 9.8 | Yes |
| jackson-databind | 2.9.10 | CVE-2020-36518 | 9.8 | No |
| 组件 | 版本 | CVE | CVSS | 是否已被利用 |
|---|---|---|---|---|
| log4j-core | 2.14.1 | CVE-2021-44228 | 10.0 | 是 |
| spring-core | 5.3.17 | CVE-2022-22965 | 9.8 | 是 |
| jackson-databind | 2.9.10 | CVE-2020-36518 | 9.8 | 否 |
Risk Score: 78/100 (High Risk)
风险评分:78/100(高风险)
- ⚠️ 2 vulnerabilities with known exploits
- ⚠️ 3 critical severity issues
- ✓ Components from untrusted sources: 0
Recommendation: Do not integrate this software until critical vulnerabilities are addressed.
---- ⚠️ 2个已被利用的漏洞
- ⚠️ 3个关键严重程度问题
- ✓ 来自不可信来源的组件:0个
建议:在关键漏洞得到修复前,不要集成此软件。
---Phase 4: Remediation Guidance
第四阶段:修复指导
Goal: Provide actionable upgrade recommendations and vendor communication.
目标:提供可行的升级建议和供应商沟通方案。
Step 4.1: Upgrade Recommendations
步骤4.1:升级建议
undefinedundefinedRecommended Actions
建议操作
Priority 1: Critical (Must Fix)
优先级1:关键(必须修复)
| Component | Current | Fixed Version | Notes |
|---|---|---|---|
| log4j-core | 2.14.1 | 2.17.1+ | Log4Shell |
| spring-core | 5.3.17 | 5.3.18+ | Spring4Shell |
| 组件 | 当前版本 | 修复版本 | 说明 |
|---|---|---|---|
| log4j-core | 2.14.1 | 2.17.1+ | Log4Shell漏洞 |
| spring-core | 5.3.17 | 5.3.18+ | Spring4Shell漏洞 |
Priority 2: High (Should Fix)
优先级2:高(应该修复)
| Component | Current | Fixed Version | Notes |
|---|---|---|---|
| lodash | 4.17.15 | 4.17.21 | Prototype pollution |
| axios | 0.21.1 | 1.6.0+ | SSRF vulnerability |
| 组件 | 当前版本 | 修复版本 | 说明 |
|---|---|---|---|
| lodash | 4.17.15 | 4.17.21 | 原型污染 |
| axios | 0.21.1 | 1.6.0+ | SSRF漏洞 |
Priority 3: Medium (Plan to Fix)
优先级3:中(计划修复)
| Component | Current | Fixed Version | Notes |
|---|---|---|---|
| minimist | 1.2.5 | 1.2.8+ | Prototype pollution |
undefined| 组件 | 当前版本 | 修复版本 | 说明 |
|---|---|---|---|
| minimist | 1.2.5 | 1.2.8+ | 原型污染 |
undefinedStep 4.2: Vendor Communication
步骤4.2:供应商沟通
Draft a message to the vendor using this template (populate with actual findings):
Subject: Security Vulnerabilities in Software SBOM
Dear [Vendor],
During our security review of [Product Name], we identified the following
vulnerabilities in the provided SBOM:
**Critical Issues (Require Immediate Action)**:
1. [Component] [Version] - [CVE] ([Name])
2. [Component] [Version] - [CVE] ([Name])
**Request**:
1. Provide updated software with patched versions
2. Provide updated SBOM reflecting the changes
3. Confirm expected remediation timeline
We require resolution of critical issues before proceeding with integration.
Regards,
[Your Name]使用以下模板起草给供应商的消息(填入实际发现内容):
主题:软件SBOM中的安全漏洞
尊敬的[供应商]:
在对[产品名称]进行安全审查期间,我们在提供的SBOM中发现以下漏洞:
**关键问题(需立即处理)**:
1. [组件] [版本] - [CVE编号]([漏洞名称])
2. [组件] [版本] - [CVE编号]([漏洞名称])
**请求**:
1. 提供包含补丁版本的更新软件
2. 提供反映变更的更新版SBOM
3. 确认预期的修复时间线
在关键问题解决前,我们将暂停集成流程。
此致,
[您的姓名]SBOM Generation (Internal Projects)
SBOM生成(内部项目)
To generate an SBOM for your own project using the Snyk CLI, then scan it:
bash
undefined要使用Snyk CLI为您自己的项目生成SBOM并进行扫描:
bash
undefinedGenerate CycloneDX SBOM
生成CycloneDX格式SBOM
snyk sbom --format=cyclonedx1.5+json > sbom.json
snyk sbom --format=cyclonedx1.5+json > sbom.json
Generate SPDX SBOM
生成SPDX格式SBOM
snyk sbom --format=spdx2.3+json > sbom.json
Then scan the generated SBOM:
mcp_snyk_snyk_sbom_scan(file="sbom.json")
---snyk sbom --format=spdx2.3+json > sbom.json
然后扫描生成的SBOM:
mcp_snyk_snyk_sbom_scan(file="sbom.json")
---Error Handling
错误处理
Invalid SBOM Format
无效SBOM格式
Error: Unable to parse SBOM file
Solutions:
1. Verify file is valid JSON
2. Check SBOM format (CycloneDX/SPDX)
3. Validate against schema
4. Request corrected SBOM from source错误:无法解析SBOM文件
解决方案:
1. 验证文件是有效的JSON
2. 检查SBOM格式(CycloneDX/SPDX)
3. 对照架构验证
4. 从来源请求修正后的SBOMMissing Package URLs
缺少Package URLs
Warning: X components missing purl - cannot scan
Solutions:
1. Request updated SBOM with purls
2. Manually add purls if components are known
3. Document risk of unscanned components警告:X个组件缺少purl - 无法扫描
解决方案:
1. 请求包含purls的更新版SBOM
2. 如果组件已知,手动添加purls
3. 记录未扫描组件的风险Unsupported Version
不支持的版本
Error: SBOM version not supported
Supported versions:
- CycloneDX: 1.4, 1.5, 1.6
- SPDX: 2.3
Convert SBOM to supported version if possible.错误:SBOM版本不支持
支持的版本:
- CycloneDX:1.4、1.5、1.6
- SPDX:2.3
如有可能,将SBOM转换为支持的版本。Constraints
限制条件
- Requires purls: Components without package URLs cannot be scanned
- JSON only: XML format not currently supported
- Version limits: Only specific CycloneDX/SPDX versions supported
- Network required: Vulnerability database lookup needs connectivity
- Point-in-time: SBOM reflects a specific version — rescan on updates
- 需要purls:无Package URLs的组件无法扫描
- 仅支持JSON:目前不支持XML格式
- 版本限制:仅支持特定版本的CycloneDX/SPDX
- 需要网络:漏洞数据库查询需要联网
- 时效性:SBOM反映特定版本 - 更新后需重新扫描