Transitive SBOM

The Transitive Dependencies Feature in JFrog Xray provides comprehensive visibility into the complete dependency tree of your software artifacts. While traditional SBOM (Software Bill of Materials) analysis focuses on direct dependencies, this feature goes deeper by automatically discovering and analyzing the relationships between all components in your software supply chain.

🚧

Important
This capability depends on the SBOM Service Self-Managed users must enable the SBOM feature and complete the SBOM migration and enable the feature via the sbom.dependenciesEnabledfeature flag
If SBOM is disabled, the API returns 403 – “SBOM is disabled”.

Transitive SBOM for Binary Artifacts

How It Works

1. Declaration Extraction

The system begins by extracting dependency declarations from your artifacts. This process involves:

• Package Analysis: The system analyzes various package types to identify dependency specifications.
• Declaration Parsing: It reads dependency files (like package.json, pom.xml, requirements.txt, etc.) to understand what dependencies each component declares.
• Metadata Processing: The system processes package metadata to build a comprehensive dependency map.

2. Dependency Resolution

Once declarations are extracted, the system resolves the complete dependency tree:

• Graph Construction: Creates a dependency graph showing relationships between all components
• Relationship Mapping: Maps direct, transitive, and first-party relationships

📘

The Transitive SBOM Feature currently works exclusively with bundled artifacts - bundled artifacts are artifacts that contain all their dependencies inside the filesystem/archive. This means:

• Supported: Docker Images, Builds, and Release Bundles that contain their dependencies within the package.
• Supported: SBOM (CycloneDX, SPDX) files whose own dependency graphs are already resolved (provided dependencies)
• Not Supported: Artifacts that reference external dependencies without bundling them

Binary Dependency Resolution

The Transitive Dependencies Feature supports binary dependency resolution for specific programming languages with their respective dependency metadata files:

Transitive SBOM for SBOM Artifacts (CycloneDX, SDPX)

The Feature leverages SBOM files' dependency fields (CycloneDX's "dependsOn", SDPX's "dependency relationship") to construct the dependency graph of the artifact.

SBOM Transitive SBOM is not constrained by a specific package type and is dependent on the quality of the data provided in the input CycloneDX.

Features That Use Transitive SBOM

SBOM Tree View (Advanced Security)

The SBOM Tree View provides an interactive, hierarchical visualization of your complete dependency tree:

• Interactive Navigation: Expand and collapse dependency levels to explore the tree
• Relationship Visualization: See direct vs. transitive dependencies clearly marked

Dependency Information in SBOM Export (Security Essentials)

Including the dependency relationship in your Software Bill of Materials (SBOM) is an important aspect of its completeness. This information, which maps how all software components are connected, is mandated by numerous cybersecurity frameworks to ensure supply chain transparency. An SBOM without this relational data is considered incomplete and fails to meet foundational compliance standards.

Dependency information is supported in both SPDX and CycloneDX formats.

Examples of Regulatory Frameworks Requiring Dependency Relationships: