Skip to content

CBOM

AQtive Guard supports uploading Cryptographic Bill of Materials (CBOM) files in JSON format for analysis and inventory. CBOM provides a comprehensive inventory of an application’s cryptographic objects and dependencies to expand your cryptographic and IT asset inventory in AQtive Guard.

Prerequisites

  • A valid Cryptographic Bill of Materials (CBOM) JSON file. AQtive Guard supports the following formats:
    • CycloneDX version 1.4 - AQtive Guard validated this version with outputs from CryptoBOM Forge by Santander.
    • CycloneDX version 1.6 - AQtive Guard validated this version using outputs from Sonarqube by IBM.

Tip

The OWASP CycloneDX Tool Center lists numerous tools capable of generating CycloneDX 1.4 or 1.6 files. While some of these tools may produce compatible outputs, they aren’t formally tested or supported by AQtive Guard, and functionality cannot be guaranteed.

Upload a CBOM file

To upload a CBOM file, follow these steps:

  1. Navigate to Data Sources from the main menu, then select Upload in the CBOM panel.

  2. Enter the following metadata to provide attributes for the CBOM data in AQtive Guard:

    • Application Name - Enter the name of the application or codebase that this CBOM data belongs to, typically referencing the root name of the codebase.
    • Language - The programming language used for the application, as provided by the CBOM, or the tool used to scan the application.

    Note

    Make sure the metadata is entered correctly before you upload the JSON file. It’s used to identify the CBOM data in the associated AQtive Guard tables.

  3. To upload the CBOM JSON file, either:

    • Click in the target area and select the file from your local system.
    • Drag and drop the file into the target upload area.

    The data will begin uploading automatically.