Generate SBOMs
You can generate a software bill of materials (SBOM) with Veracode Container Security. SBOMs contain detailed, machine-readable inventory of all components, libraries, and modules within your applications. These inventories provide visibility into supply chain risks.
Generate an SBOM using the CLI
Generate an SBOM in CycloneDX, SPDX, standard JSON, and other file formats.
Before you begin:
Ensure you have installed the Veracode CLI.
To complete this task:
-
At the command prompt, run this command:
./veracode configure. -
When prompted, enter the API ID and secret key you generated in the Veracode Platform.
-
To generate the SBOM, run the
sbomcommand with the appropriate flagsFor example:
To generate an SBOM for an image in SPDX format, run:
./veracode sbom --source alpine:latest --type image -f spdx-jsonTo print the output to a file that you can share or save as an artifact in a pipeline, run:
./veracode sbom --source alpine:latest --type image -f spdx-json -o alpine-latest-sbom.json -
Review the generated SBOM.
Review an SBOM in the CLI
After generating an SBOM, Veracode Container Security generates a software bill of materials (SBOM) that appears in your command window or outputs the SBOM to a file.
To configure the output format of the SBOM, such as CycloneDX, SPDX, or a table, include the --format flag.
To scan an SBOM, use Veracode SCA Agent-based Scan or SCA Upload and Scan.
Example SBOM output
The following example output is for a SBOM in SPDX format.
./veracode sbom --source alpine:latest --type image -f spdx-tag-value
SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: alpine-latest
DocumentNamespace: https://anchore.com/syft/image/alpine-latest-ef098fd6-aba5-4f46-9cee-558a006863a5
LicenseListVersion: 3.18
Creator: Organization: Anchore, Inc
Creator: Tool: syft-
Created: 2023-01-23T15:30:21Z
##### Package: alpine-baselayout
PackageName: alpine-baselayout
SPDXID: SPDXRef-Package-apk-alpine-baselayout-94d36b572eb8f477
PackageVersion: 3.4.0-r0
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=alpine-baselayout&distro=alpine-3.17.0
##### Package: alpine-baselayout-data
PackageName: alpine-baselayout-data
SPDXID: SPDXRef-Package-apk-alpine-baselayout-data-1b70ec812056fde9
PackageVersion: 3.4.0-r0
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=alpine-baselayout&distro=alpine-3.17.0
##### Package: alpine-keys
PackageName: alpine-keys
SPDXID: SPDXRef-Package-apk-alpine-keys-778781ef3ad77897
PackageVersion: 2.4-r1
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: MIT
PackageLicenseDeclared: MIT
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=alpine-keys&distro=alpine-3.17.0
##### Package: apk-tools
PackageName: apk-tools
SPDXID: SPDXRef-Package-apk-apk-tools-799f921f399cb53
PackageVersion: 2.12.10-r1
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=apk-tools&distro=alpine-3.17.0
##### Package: busybox
PackageName: busybox
SPDXID: SPDXRef-Package-apk-busybox-8aaa05def2ad8160
PackageVersion: 1.35.0-r29
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox:busybox:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=busybox&distro=alpine-3.17.0
##### Package: busybox-binsh
PackageName: busybox-binsh
SPDXID: SPDXRef-Package-apk-busybox-binsh-c0889e6fddb07d91
PackageVersion: 1.35.0-r29
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox-binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox-binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox_binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox_binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=busybox&distro=alpine-3.17.0
##### Package: ca-certificates-bundle
PackageName: ca-certificates-bundle
SPDXID: SPDXRef-Package-apk-ca-certificates-bundle-1044ad92991da123
PackageVersion: 20220614-r2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: MPL-2.0 AND MIT
PackageLicenseDeclared: MPL-2.0 AND MIT
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca:ca-certificates-bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca:ca_certificates_bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/ca-certificates-bundle@20220614-r2?arch=aarch64&upstream=ca-certificates&distro=alpine-3.17.0
##### Package: libc-utils
PackageName: libc-utils
SPDXID: SPDXRef-Package-apk-libc-utils-9580703a7dc03ab6
PackageVersion: 0.7.2-r3
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-2-Clause AND BSD-3-Clause
PackageLicenseDeclared: BSD-2-Clause AND BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=libc-dev&distro=alpine-3.17.0
##### Package: libcrypto3
PackageName: libcrypto3
SPDXID: SPDXRef-Package-apk-libcrypto3-3a34ccc100422e09
PackageVersion: 3.0.7-r0
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: Apache-2.0
PackageLicenseDeclared: Apache-2.0
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libcrypto3:libcrypto3:3.0.7-r0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=openssl&distro=alpine-3.17.0
##### Package: libssl3
PackageName: libssl3
SPDXID: SPDXRef-Package-apk-libssl3-340d5e1521cb7cae
PackageVersion: 3.0.7-r0
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: Apache-2.0
PackageLicenseDeclared: Apache-2.0
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libssl3:libssl3:3.0.7-r0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=openssl&distro=alpine-3.17.0
##### Package: musl
PackageName: musl
SPDXID: SPDXRef-Package-apk-musl-ada262e3849a9047
PackageVersion: 1.2.3-r4
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: MIT
PackageLicenseDeclared: MIT
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=musl&distro=alpine-3.17.0
##### Package: musl-utils
PackageName: musl-utils
SPDXID: SPDXRef-Package-apk-musl-utils-7cf875936f1dba2d
PackageVersion: 1.2.3-r4
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: MIT AND BSD-2-Clause AND GPL-2.0-or-later
PackageLicenseDeclared: MIT AND BSD-2-Clause AND GPL-2.0-or-later
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=musl&distro=alpine-3.17.0
##### Package: scanelf
PackageName: scanelf
SPDXID: SPDXRef-Package-apk-scanelf-48e301315cbf16cf
PackageVersion: 1.3.5-r1
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=pax-utils&distro=alpine-3.17.0
##### Package: ssl_client
PackageName: ssl_client
SPDXID: SPDXRef-Package-apk-ssl-client-297a516ba5d8e32d
PackageVersion: 1.35.0-r29
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ssl-client:ssl-client:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ssl-client:ssl_client:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ssl_client:ssl-client:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ssl_client:ssl_client:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ssl:ssl-client:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ssl:ssl_client:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=busybox&distro=alpine-3.17.0
##### Package: zlib
PackageName: zlib
SPDXID: SPDXRef-Package-apk-zlib-1625b2938bc472bc
PackageVersion: 1.2.13-r0
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: Zlib
PackageLicenseDeclared: Zlib
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:zlib:zlib:1.2.13-r0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/[email protected]?arch=aarch64&upstream=zlib&distro=alpine-3.17.0