You can use the SCA Agent REST API to generate a software bill of materials (SBOM) based on your latest Veracode Software Composition Analysis upload scan results or agent-based scan results that you have linked to an application profile. The response includes an inventory of all components in your application in CycloneDX JSON format.
Before you begin:
You must have:
- A Veracode account with an SCA-Scan subscription and the Security Lead role
- API credentials
- HMAC authentication enabled
-
Completed at least one Veracode SCA scan in the last 13 months. The scan must be one of these scan types:
- Policy scan
- Sandbox scan that you have promoted to a policy scan
- Agent-based scan that you have linked to the application for which you are creating the SBOM.
To complete this task:
-
Use this command to return the application GUID from the Applications API:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v1/applications?name={applicationName}"
-
Use this command to return the SBOM containing your SCA upload scan Results:
http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=application"
Set the
type
property toapplication
to retrieve data from Veracode SCA policy scans or agent-based scans linked to your application profile. To generate an SBOM for agent-based scans, follow these instructions.
Additional documentation is available on SwaggerHub.