<-- Back

How to trace dependencies to marketplace content using SBOM

Introduction

The Mendix Marketplace allows developers to extend applications with additional features/functionality using Widgets and Modules. These widgets and modules make use of external dependencies (Java libraries in the format of JAR files), which are placed in either the vendorlib or userlib folders in the app directory. These dependencies can also have their own dependencies, leading to multiple levels of dependencies which can be difficult to trace back to the widget or module they belong to.

This article will explain how to trace dependencies to their parent widget/module using a Software Bill of Materials (SBOM).

Environment

Studio Pro 10.18.0 and newer

Instructions/Procedure

The following transient dependency will be used for demonstration purposes: jakarta.mail-api-2.1.3.jar 

To trace a dependency back to the parent widget/module it belongs to, follow the steps listed below:

  1. Open Studio Pro and navigate to App > Tools > Generate Bill of Materials (it is also possible to do this with MxBuild, as mentioned in the Generating an SBOM documentation)

    Screenshot 2026-03-31 152756.png

  2. Open the newly generated SBOM file (it will be in .json format) and use the find functionality to search for the name of the specific dependency (in this case jakarta.mail-api)

    Screenshot 2026-03-31 154901.png
  3. Copy the UUID value of the bom-ref field (in this case f769f525-397f-41f9-8855-1db7b7825f1f)

  4. Use the find functionality again and search for this UUID to determine what is dependent on the jakarta.mail-api dependency (depicted by the UUID f769f525-397f-41f9-8855-1db7b7825f1f). It might have several results, in which case steps 5-7 below should be repeated for each result.

    Screenshot 2026-03-31 155838.png

  5. As shown in the above screenshot, jakarta.mail-api is depended on by three different dependencies. By searching the UUID values of the ref field in each case, it is possible to trace each one back to a different dependency. For example, searching for 60178dc5-1956-4d7e-8958-e5fc77a6c465 (the topmost result in the screenshot above) will yield the following search result:

    Screenshot 2026-03-31 161334.png
  6. It can thus be determined that jakarta.mail-api is a dependency that is used by angus-mail (another dependency). 

  7. Steps 3 & 4 must then be repeated with the UUID 60178dc5-1956-4d7e-8958-e5fc77a6c465, which will yield the following result:

    Screenshot 2026-03-31 162651.png
  8. As shown in the above screenshot, angus-mail is a dependency of the Email Connector module. It can thus be determined that jakarta.mail-api is a transient (indirect) dependency of the Email Connector module by tracing it back as follows: jakarta.mail-api > angus-mail > Email Connector. 
    This approach can be followed for any dependency to trace it back to its parent widget/module. Note that one dependency can be found in several different widgets/modules.

Outcome

By following the steps listed above, the parent widget/module of a dependency can be determined.

Internal information related

  • 256615, 266174, 271561, 
  • C03PKGG8J8H/p1755179427802599, C3T260XGA/p1755262164273299

Additional information

Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.