SBOM export

Learn about SBOM export reports.

This feature is only available for SCA Enterprise users. Already have an account? Click here to upgrade.

What is SBOM?

A Software Bill of Materials (SBOM) is a record of the supply chain relationships between the components used when creating software. The record lists all components of a product, including all open source software, which can be helpful for both the developers and other stakeholders, such as investors and legal teams.

For more information on SBOM, see Debricked blogs.

There are a few data points included in the SBOM which are not included in the regular license export:

Proof of license - A reference to the source from where the license information is fetched. This field is applicable only for CycloneDX SBOM.
License text - The actual text that the license consists of. This field is applicable only for CycloneDX SBOM.
Copyright statement - Displays the person or organization who holds the copyright.
Open Source Select link - A link to the dependency page in Open Source Select, where you can find additional information on the specific open-source package.
Dependency relations - Contains information on each component and their direct dependencies. See the Dependency relations sections on the CycloneDX SBOM export and SPDX SBOM export pages for more details.
Root Fixes - This data can be found under Recommendation. It consists of information about the first version of the specific vulnerable dependency that is safe, as well as the first version of the root or direct dependency that does not contain a vulnerable version of the indirect dependency. See the section Root Fixes for more details. This field is applicable only for CycloneDX SBOM.

Keep in mind that license information may differ depending on the package and the specific version used.

Export a CycloneDX or SPDX SBOM using web tool

Keep in mind that this feature is only available for enterprise users.

In order to generate the CycloneDX or SPDX SBOM Export:

Click Generate export on the top right corner of the page.
Under Scope, select all repositories you wish to see the data for.
Select CycloneDX or SPDX under SBOM as the Export type.
Click Generate.
Check your email for the exported data, which will be sent to you in the .json format. If you cannot find the email in your inbox, check the SPAM folder.

Export a CycloneDX or SPDX SBOM using web tool - video guide

Export a CycloneDX or SPDX SBOM to email using API

If you have already integrated your repository with Debricked, you can generate a CycloneDX or SPDX SBOM by fetching your data through the API.

To use Debricked REST API, you should authenticate first.

Endpoint: /api/{1.0}/open/sbom/generate

Following is an example of a request using curl to generate an SPDX SBOM (to generate a CycloneDX SBOM use "format": "CycloneDX"):

curl -X 'POST' \
  'https://debricked.com/api/1.0/open/sbom/generate' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "format": "SPDX-2.3",
  "email": "user1@debricked.com",
  "repositoryIds": [
    1
  ],
  "vulnerabilities": true,
  "rootFixes": true,
  "licenses": true,
  "sendEmail": true
}'

You can send the following parameters in the body of the request: commitId, email, repositoryIds, branch, locale. You can choose to add license and vulnerability data, using licenses: true/false and vulnerabilities: true/false.

If you provide a commitId, the branch and repositoryIds will be ignored. If you leave the branch field empty, the report is generated for the identified default branch (most likely 'main' or 'master', if applicable) of the selected repository. It is also possible to create an SBOM for all repositories by not specifying any repositoryIds.

Once you send the request, you will receive your SBOM via email, which will be sent to you in the .json format. If you can’t find the email in your inbox, make sure to check the SPAM folder. If you do not provide an email address, the SBOM will be sent to the email of the user who created the request.

Export a CycloneDX or SPDX SBOM to email using API - video guide

Export a CycloneDX or SPDX SBOM directly from API

It is also possible to generate a CycloneDX or SPDX SBOM and download it directly through the API. As part of the response of the /api/1.0/open/sbom/generate endpoint, a reportUuid is sent, which can be used in the /api/1.0/open/sbom/download endpoint.

Following is an example response from the /api/1.0/open/sbom/generate endpoint:

{
  "message": "The report has started generating and can be downloaded through the 'download' endpoint once ready, by using the reportUuId stated below. Be aware that it might take some time before it's finished",
  "reportUuid": "<report_uuid>",
  "notes": [
    "Example note"
  ]
}

Following is an example request for the /api/1.0/open/sbom/download endpoint:

curl -X 'GET' \
  'https://debricked.com/api/1.0/open/sbom/download?reportUuid=<report_uuid>' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer <token>'

If you do not want the report to also be sent to your email, it is possible to turn this off by setting the "sendEmail" value to "false" in the /api/1.0/open/sbom/generate endpoint.

Click the following link for an example on exporting CycloneDX SBOM:

CycloneDX SBOM file example

Last updated 8 days ago

Was this helpful?