Generate a Software Bill of Materials (SBOM) for Upload Scans with the REST API

Veracode APIs

This use case scenario provides the SCA Agent REST API commands to generate a software bill of materials (SBOM) from your Veracode Software Composition Analysis upload scan results. The response includes an inventory of all components in your application in CycloneDX JSON format.

You must have:
  • A Veracode account with an SCA-Scan subscription and the Security Lead role
  • API credentials
  • HMAC authentication enabled
  • Completed Veracode SCA upload scans of the application for which you are creating the SBOM. The scans must include either a policy scan or a sandbox scan that you have promoted to a policy scan.
  1. Use this command to return the application GUID from the Applications API: 
    http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v1/applications?name={applicationName}"
  2. Use this command to return the SBOM containing your SCA upload scan results: 
    http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=application"
    Setting the type parameter to application specifies that the API retrieves data from Veracode SCA upload scans. To generate an SBOM for agent-based scans, use the Veracode SBOM generation tool.