Creating a scan with an SBOM or Lockfile
This guide will walk you through the process of uploading a Software Bill of Materials (SBOM) or Lock file to improve your scan's findings in the application. An SBOM is a detailed list of all the components used in an application. Performing a scan with an SBOM extends dependency detection.
1. Click "New Scan"
2. Click "Android App" or "iOS App" depending on your target scan.
Select the option to scan either an Android App or an iOS App. Supported formats are .apk, .aab and .ipa.
3. Upload your file
Drag and drop the application file onto the designated area.
4. Click "Continue"
Proceed by clicking on the "Continue" button.
5. Upload your SBOM or Lock file
Drag and drop the SBOM or lock file onto the designated area.
6. Click "Continue"
Proceed by clicking on the "Continue" button.
7. Select your scan profile. Select "Fast Scan" for static-only checks or "Full Scan" for static, dynamic, and backend checks.
Select your scan profile. Select "Fast Scan" for SAST only checks.
8. Click "Submit"
Submit the scan by clicking on the "submit" button. Fast takes less than an hour on average to complete. You should be able to access the scan from the scans menu.
9. Generate a gradle lockfile for Android
Check your project for a gradle.lockfile file. If it does not exist, follow these steps to generate one.
- Add the following to your
build.gradle.ktsorbuild.gradlefile:dependencyLocking { lockAllConfigurations() }
10. Generate the Flutter lock file
Check your project for a pubspec.lock file. If it does not exist, you can generate one by running flutter pub get.
11. Generate an SBOM for Android, iOS or Flutter
Numerous SBOM generation tools are available that simplify the process of listing all the components of an application. We're going to use Syft to generate an SBOM for our Android, iOS or Flutter application.
In the root of your project, type syft . -o {file_format}, e.g:
syft . -o spdx
Supported SBOM/Lock files
SPDXCycloneDXgradle.lockfilepubspec.lockbuildscript-gradle.lockfilepnpm-lock.yamlpackage-lock.jsonpackages.lock.jsonpom.xmlGemfile.lockyarn.lockCargo.lockcomposer.lockconan.lockmix.lockgo.modrequirements.txtPipfile.lockpoetry.lock