LogoLogo
WebsitePricingBlog
  • Debricked Documentation
  • Overview
    • Getting started
      • Create a OpenText Core SCA account
      • Running OpenText Core SCA
    • Help
      • Frequently asked questions (FAQ)
      • Upgrade your account
      • Get help in OpenText Core SCA tool
    • Language support
      • C# - Nuget, Paket
      • CycloneDX SBOM
      • Go - Go Modules, Go Dep, Bazel
      • Java & Kotlin - Gradle, Maven, Bazel
      • JavaScript - NPM, Yarn, Bower
      • Objective-C - CocoaPods
      • PHP - Composer
      • Python - Pip, Pipenv
      • Ruby - RubyGems
      • Rust - Cargo
      • Swift - CocoaPods
      • Linux package managers
      • Scala - SBT
    • Security overview
  • Product
    • Vulnerability management
      • Security terms
      • Data sources
      • See your data
      • Pull Requests (PR)
        • Enable Pull Request support
        • Solve vulnerabilities using Pull Requests (PR)
        • Solve vulnerabilities using Pull Requests (PR) via API
      • Set a review status
        • Snooze or pause a review status
      • Reachability Analysis
        • Set up Reachability Analysis for Java
        • Set up Reachability Analysis for Go
      • Solve vulnerabilities manually with root fixes
    • License risk management
      • Licence families
      • License risks
      • Set up a use case
        • Set up a use case using API
      • Proxy non-standard license identifiers
    • Project health
      • Contributors
      • Popularity
      • Security
    • Open source select
      • Search projects
      • Compare projects
      • View more details
      • Start left policies
      • OpenText Core SCA Select Browser Extension
      • End of Life (EOL)
    • Automation
      • Create an automation rule
      • Edit an automation rule
      • Default automation rules
      • Set up webhooks
      • Policies
      • Monitoring
    • Exporting or SBOM
      • Overview
      • License export
      • Vulnerability export
      • SBOM export
        • CycloneDX SBOM export
        • SPDX SBOM export
    • Administration
      • Generate access token
      • Account
        • Change your password
        • Delete your account
        • Delete company account
      • Billing
        • Manage contributing developers
        • Manage billing frequency
        • Manage payment methods
        • Access invoices
        • Manage your subscription
      • Settings
        • Enable and disable snoozing vulnerabilities
        • Supported language for Debricked tool
        • View logged events
        • Two-Factor Authentication (2FA)
      • Users
        • User roles (freemium and premium)
        • Role-Based Access Control (Enterprise)
        • Manage users
          • Add a new user
      • Repositories
        • Default Branch
        • Repository groups
        • Manually upload a dependency file
        • Manage your commits
  • Tools & Integrations
    • Command Line Interface (CLI)
      • Debricked CLI
        • High performance scans
        • File fingerprinting
      • Legacy CLI
    • CI/CD integrations
      • GitHub
      • CircleCI
      • BuildKite
      • GitLab
      • Bitbucket
      • Azure DevOps
      • Argo workflows
      • Travis CI
      • Jenkins
      • Bamboo
      • TeamCity
    • Fortify on Demand (FoD)
    • Fortify Software Security Center (SSC)
    • Debricked APIs
      • Open source select API
    • Integrated Development Environments (IDEs)
    • Single Sign-On (SSO)
      • Single Sign-On (SSO) through Okta
      • Single Sign-On (SSO) through Microsoft Entra ID
      • Single Sign-On (SSO) through JumpCloud OIDC
      • Single Sign-On (SSO) through GitHub
  • Tips & Tricks
    • Debricked CLI migration guide
    • Workarounds
      • Scanning Conan (C++) projects
      • Scanning a repository with different services
      • Scanning Docker images
      • Automations: Do not fail on found CVE lacking a fix
Powered by GitBook
LogoLogo

Company

  • Pricing
  • Blog

Support

  • Privacy Policy
  • Terms & Conditions
  • Service Status

Resources

  • Vulnerability DB
  • Open Source Select

© 2018-2024 | Open Text

On this page
  • What is SBOM?
  • Export a CycloneDX or SPDX SBOM using web tool
  • Export a CycloneDX or SPDX SBOM to email using API
  • Export a CycloneDX or SPDX SBOM directly from API
  • CycloneDX SBOM file example

Was this helpful?

Export as PDF
  1. Product
  2. Exporting or SBOM

SBOM export

Learn about SBOM export reports.

Last updated 3 days ago

Was this helpful?

This feature is only available for users. Already have an account?

What is SBOM?

A Software Bill of Materials (SBOM) is a record of the supply chain relationships between the components used when creating software. The record lists all components of a product, including all open source software, which can be helpful for both the developers and other stakeholders, such as investors and legal teams.

For more information on SBOM, see OpenText Core SCA blogs.

There are a few data points included in the SBOM which are not included in the regular license export:

  • Proof of license - A reference to the source from where the license information is fetched. This field is applicable only for CycloneDX SBOM.

  • License text - The actual text that the license consists of. This field is applicable only for CycloneDX SBOM.

  • Copyright statement - Displays the person or organization who holds the copyright.

  • Open Source Selectlink - A link to the dependency page in , where you can find additional information on the specific open-source package.

  • Dependency relations - Contains information on each component and their direct dependencies. See the Dependency relations sections on the and pages for more details.

  • Root Fixes - This data can be found under Recommendation. It consists of information about the first version of the specific vulnerable dependency that is safe, as well as the first version of the root or direct dependency that does not contain a vulnerable version of the indirect dependency. See the section Root Fixes for more details. This field is applicable only for CycloneDX SBOM.

Keep in mind that license information may differ depending on the package and the specific version used.

Export a CycloneDX or SPDX SBOM using web tool

Keep in mind that this feature is only available for enterprise users.

In order to generate the CycloneDX or SPDX SBOM Export:

  1. Click Generate export on the top right corner of the page.

  2. Under Scope, select all repositories you wish to see the data for.

  3. Select CycloneDX or SPDX under SBOM as the Export type.

  4. Click Generate.

  5. Check your email for the exported data, which will be sent to you in the .json format. If you cannot find the email in your inbox, check the SPAM folder.

Export a CycloneDX or SPDX SBOM using web tool - video guide

Export a CycloneDX or SPDX SBOM to email using API

If you have already integrated your repository with OpenText Core SCA, you can generate a CycloneDX or SPDX SBOM by fetching your data through the API.

To use OpenText Core SCA REST API, you should authenticate first.

Endpoint: /api/{1.0}/open/sbom/generate

Following is an example of a request using curl to generate an SPDX SBOM (to generate a CycloneDX SBOM use "format": "CycloneDX"):

curl -X 'POST' \
  'https://debricked.com/api/1.0/open/sbom/generate' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "format": "SPDX-2.3",
  "email": "user1@debricked.com",
  "repositoryIds": [
    1
  ],
  "vulnerabilities": true,
  "rootFixes": true,
  "licenses": true,
  "sendEmail": true
}'

You can send the following parameters in the body of the request: commitId, email, repositoryIds, branch, locale. You can choose to add license and vulnerability data, using licenses: true/false and vulnerabilities: true/false.

If you provide a commitId, the branch and repositoryIds will be ignored. If you leave the branch field empty, the report is generated for the identified default branch (most likely 'main' or 'master', if applicable) of the selected repository. It is also possible to create an SBOM for all repositories by not specifying any repositoryIds.

Once you send the request, you will receive your SBOM via email, which will be sent to you in the .json format. If you can’t find the email in your inbox, make sure to check the SPAM folder. If you do not provide an email address, the SBOM will be sent to the email of the user who created the request.

Export a CycloneDX or SPDX SBOM to email using API - video guide

Export a CycloneDX or SPDX SBOM directly from API

It is also possible to generate a CycloneDX or SPDX SBOM and download it directly through the API. As part of the response of the /api/1.0/open/sbom/generate endpoint, a reportUuid is sent, which can be used in the /api/1.0/open/sbom/download endpoint.

Following is an example response from the /api/1.0/open/sbom/generate endpoint:

{
  "message": "The report has started generating and can be downloaded through the 'download' endpoint once ready, by using the reportUuId stated below. Be aware that it might take some time before it's finished",
  "reportUuid": "<report_uuid>",
  "notes": [
    "Example note"
  ]
}

Following is an example request for the /api/1.0/open/sbom/download endpoint:

curl -X 'GET' \
  'https://debricked.com/api/1.0/open/sbom/download?reportUuid=<report_uuid>' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer <token>'

If you do not want the report to also be sent to your email, it is possible to turn this off by setting the "sendEmail" value to "false" in the /api/1.0/open/sbom/generate endpoint.

Click the following link for an example on exporting CycloneDX SBOM:

SCA Enterprise
Click here to upgrade.
Open Source Select
CycloneDX SBOM export
SPDX SBOM export
CycloneDX SBOM file example

CycloneDX SBOM export
SPDX SBOM export