Generate a Software Bill of Materials (SBOM) for Application Profiles with the REST API

Veracode APIs

Publication
Veracode APIs
Edition date
2023-01-30
Last publication
2023-01-30T21:51:52.865133

You can use the SCA Agent REST API to generate a software bill of materials (SBOM) based on your latest Veracode Software Composition Analysis upload scan results or agent-based scan results that you have linked to an application profile. The response includes an inventory of all components in your application in CycloneDX JSON format.

Before you begin:

You must have:

  • A Veracode account with an SCA-Scan subscription and the Security Lead role
  • API credentials
  • HMAC authentication enabled
  • Completed at least one Veracode SCA scan in the last 13 months. The scan must be one of these scan types:

    • Policy scan
    • Sandbox scan that you have promoted to a policy scan
    • Agent-based scan that you have linked to the application for which you are creating the SBOM.

To complete this task:

  1. Use this command to return the application GUID from the Applications API:

    http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v1/applications?name={applicationName}"
    
  2. Use this command to return the SBOM containing your SCA upload scan Results:

    http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=application"
    

    Set the type property to application to retrieve data from Veracode SCA policy scans or agent-based scans linked to your application profile. To generate an SBOM for agent-based scans, follow these instructions.

Additional documentation is available on SwaggerHub.