SBOM CycloneDX Package

Confirm the CycloneDX SBOM contains only allowed packages. By default all packages are allowed. Use the "disallowed_packages" rule data key to provide a list of disallowed packages.

Solution: Update the image to not use any disallowed package.

Confirm the CycloneDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the "allowed_external_references" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.

Solution: Update the image to use only packages with explicitly allowed external references.

For each of the components fetched by Hermeto which define externalReferences of type distribution, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.

Solution: Update the image to not use a package from a disallowed source.

For components with externalReferences of type distribution, verify proxy URLs match at least one pattern from allowed_proxy_url_patterns for the component’s PURL type. Only PURL types listed in proxy_enabled_purl_types are checked. The "proxy_enabled_purl_types" rule data key is a list of PURL type strings (e.g. ["maven", "npm"]). The "allowed_proxy_url_patterns" rule data key is an object mapping each PURL type string to a list of regular expression patterns (e.g. {"maven": ["^https://proxy\\.example\\.com/maven/.*"]}). Components with a URL of "NOASSERTION" are skipped. If a PURL type is listed in proxy_enabled_purl_types but has no entry in allowed_proxy_url_patterns, all components of that type are denied.

Solution: Ensure the proxy URL matches one of the patterns defined in the allowed_proxy_url_patterns rule data for the given PURL type.

Confirm the CycloneDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the "disallowed_attributes" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value.

Solution: Update the image to not use any disallowed package attributes.

Confirm the CycloneDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the "disallowed_external_references" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.

Solution: Update the image to not use a package with a disallowed external reference.

Check that the CycloneDX SBOM specifies a supported schema version (1.4, 1.5 or 1.6).

Solution: Update the build process to produce a CycloneDX 1.4, 1.5 or 1.6 SBOM.

Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.4 version of the schema.

Solution: Make sure the build process produces a valid CycloneDX SBOM.

Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.5 version of the schema.

Solution: Make sure the build process produces a valid CycloneDX SBOM.

Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.6 version of the schema.

Solution: Make sure the build process produces a valid CycloneDX SBOM.