Provide an option to convert a Mend UA JSON to a CycloneDX JSON

[nigellh]

Mend reports are a fairly standard JSON and actually have the necessary information in to create a valid CycloneDX JSON with valid Purls

demo_mend_ua.json.zip

This is a sample one and you can see by combining the libraries/artifactid (package name) and libraries/version (package version) and using libraries/type (Technology) you can create valid purls.

In this example one the libraries type is javascript/Node.js and so you could take the first entry of

json-schema 0.4.0 javascript/Node.js

and create a Purl of

pkg:npm/[email protected]

Unfortunately, this is the only example Mend UA report I have and so I cannot give any further information as to what the libraries/type fields could be set to.

[stevespringett]

Mend already exports to CycloneDX. See https://docs.mend.io/bundle/sca_user_guide/page/the_sbom_export_report.html

[nigellh]

@stevespringett That does depend on if you have Mend or you have only been provided with a mend output which is the case that we have. We work with customers that provide us with a Mend output that we then need to analyse. Converting it to an SBOM makes it easier.

Could they provide us with a Mend CDX SBOM, possibly, but we have not been completely convinced over the accuracy of them and that some are reluctant to do so. (Do not ask) so a nice simple conversion process would be appreciated! :-)