Create an SBOM with the REST API
You can use the SCA REST API to generate a software bill of materials (SBOM) based on your latest Veracode Software Composition Analysis upload scan results or agent-based scan results that you have linked to an application profile. The response includes an inventory of all components in your application in CycloneDX JSON or SPDX format.
Permissions and authentication
Before you can use all the endpoints of the SBOM APIs, you must have one of these accounts and the required roles:
- An API service account with the Results API role
- A user account with the Administrator, Executive, Reviewer, Sandbox User, Security Insights, or Security Lead role
This API uses API ID/key credentials and HMAC authentication to provide improved security. Before you can send requests, you must complete these configurations:
Ensure you access the APIs with the domain for your region
Supported formats
The Veracode REST APIs can generate SBOMs in the following formats:
- CycloneDX v1.4 (JSON)
- SPDX v2.3 (JSON)
The examples on this page specify the CycloneDX format. To use the SPDX format, replace cyclonedx in the commands with spdx.
Create an SBOM for application profiles
-
Complete at least one of these Veracode SCA scan types in the last 13 months:
- Policy scan
- Sandbox scan that you have promoted to a policy scan
- Agent-based scan that you have linked to the application for which you are creating the SBOM.
-
Return the application GUID from the Applications API by running:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v1/applications?name={applicationName}" -
Return the SBOM that contains your SCA upload scan results by running:
http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=application"When the
typeparameter is set toapplication, which is the default value, the API will retrieve data from your latest Veracode SCA policy scans. -
Optionally, return an SBOM that contains SCA agent-based scan results that are linked to your application by setting the
linkedparameter totrue:http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=application&linked=true" -
Optionally, return an SBOM that excludes vulnerabilities by setting the
vulnerabilityparameter tofalse:http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=application&vulnerability=false"The default value for the
vulnerabilityparameter istrue, so SBOMs include vulnerability information if this parameter is not set.
Create an SBOM for agent-based projects
-
Complete at least one Veracode SCA agent-based scan in the last 13 months.
-
Return the list of GUIDs for your workspaces by running:
http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/v3/workspaces" -
Return the list of project GUIDs for the workspace by running:
http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/v3/workspaces/{workspaceGuid}/projects"When the
typeparameter is set toapplication, which is the default value, the API retrieves data from your latest Veracode SCA policy scans. -
Return the SBOM that contains your SCA agent-based scan results for your project by running:
http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{projectGuid}/cyclonedx?type=agent"The default value for the
typeparameter isapplication, but when it is set toagent, the API retrieves data from the latest SCA agent-based scan for your project. -
Optionally, return an SBOM that excludes vulnerabilities by setting the
vulnerabilityparameter tofalse:http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=agent&vulnerability=false"The default value for the
vulnerabilityparameter istrue, so SBOMs include vulnerability information if this parameter is not set.
SBOM API specification
Specifications for the CycloneDx SBOM API and the SPDX SBOM API are available on SwaggerHub.