Ketryx can scan SPDX files, reported to Ketryx via the Build API, to extract crucial information about software packages, including version, license, and advisory information (introduced in SPDX version 2.3), and checks direct and indirect (transitive) dependencies for vulnerabilities. Ketryx parses the SPDX file and creates dependencies as defined within these files. If you have submitted a file and are not seeing dependencies in the Ketryx SBOM and Vulnerability modules, it may be due to one of the following reasons:

The version selected in the SBOM and Vulnerabilities module does not align with the commit

Under build history there may or may not be a defined Version. If there is a defined version, you will only see dependencies in the SBOM and vulnerability modules if the defined Version is selected from the dropdown options.

File format

Ketryx supports SPDX files in JSON format, for the Version 2.2 and 2.3 of the SPDX specification. Parsing of dependencies in other formats is not currently supported. Such SPDX files in JSON format can be generated with a variety of tools (see documentation for tools to support spdx generation). 

File does not include expected dependences

If the file generated/ submitted does not include expected dependences, Ketryx will not parse them and populate the SBOM module. To validate the quality of your generated file, please review the latest build submission via the Ketryx History Module. 

An error submitting the file

If you do not see the relevant file in the History module, there may have been an error with the commit. Please review our Build API documentation.