Native Image --enable-sbom option generates SBOM with dependency references and hierarchy

[hoggmania]

Feature request

Some vulnerabilities are only present if a dependency is brought in directly exposed by direct dependency. In some cases, the vulnerability does not exist if the dependency is a transitive of another dependency. If the SBOM contains dependency references and the hierarchy, then this can be calculated.

The current SBOM generation has a flat structure and does not contain the dependency hierarchy.

The solution could be: -
Either: generic/default with --enable-sbom optional flag, adding the hierarchical feature
Or: add an optional parameter --enable-sbom=cyclondx,strict,hierarchical

This will benefit security checking systems post-build to eliminate false positive security vulnerabilities

The alternative would require generating the hierarchial sbom at build time, however, given the optimasations that go on in the native-image tooling, it is more optimal within this process.

[hoggmania]

An additional ask would be to use https://github.com/package-url/purl-spec instead of CPE as it allows for greater details of the source of the dependencies and aid in attacks against the software supply chain.

[LesSyner]

I'm also interested in getting SBOM with PURL component identifiers, without it SBOM cannot be used by tools which depend on PURL only (many modern tools like Trivy).
I also wanted to highlight @matneu @fniephaus @hoggmania that CycloneDX SBOM may contain both CPE and PURL definition for each component to make everyone satisfied, you don't need to switch from CPE to PURL, only add PURL. Below you can find example of such definition form CycloneDX guide (https://cyclonedx.org/guides/sbom/OWASP_CycloneDX-SBOM-Guide-en.pdf):

"components": [
 {
 "type": "library",
      "group": "com.example",
       "name": "awesome-library",
       "version": "1.0.0",
       "cpe": "cpe:2.3:a:acme:awesome:1.0.0:*:*:*:*:*:*:*",
       "purl": "pkg:maven/com.example/awesome-library@1.0.0",
       "swid": {
              "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_1.0.0",
              "name": "Acme Awesome Library",
              "version": "1.0.0",
                     "text": {
                     "contentType": "text/xml",
                     "encoding": "base64",
                     "content": "U1dJRCBkb2N1bWVudCBkb2VzIGhlcmU="
                     }
              }
       }
]

[Moscagus]

I'm also interested in getting SBOM with PURL component identifiers, without it SBOM cannot be used by Trivy.

[rudsberg]

@hoggmania @LesSyner @Moscagus I have some exciting updates to share regarding the SBOM feature in GraalVM for JDK 24 (scheduled for release on March 18, 2025). It will include the following enhancements relevant to your requests:

• Dependency Tree - A dependency tree derived from the Native Image static analysis. It will be encoded in the dependencies field.
• Purl Identifiers - The purl (Package URL) field will be implemented. This identifier will also be used in the bom-ref field to identify components.

[rudsberg]

The dependency tree and PURL identifiers were implemented as part of GraalVM for JDK 24.