Create an SBOM with the REST API

You can use the SCA REST API to generate a software bill of materials (SBOM) based on your latest Veracode Software Composition Analysis upload scan results or agent-based scan results that you have linked to an application profile. The response includes an inventory of all components in your application in CycloneDX JSON or SPDX format.

Permissions

Before you can use all the endpoints of this API, you must have one of the following accounts with the required roles:

• An API user account with the Results API role.
• A UI user account with the Administrator, Executive, Reviewer, Sandbox User, Security Insights, or Security Lead role.

Authentication

This API requires secure authentication to Veracode.

Supported formats

The Veracode REST APIs can generate SBOMs in the following formats:

• CycloneDX v1.4 (JSON)
• SPDX v2.3 (JSON)

The examples on this page specify the CycloneDX format. To use the SPDX format, replace cyclonedx in the commands with spdx.

Create an SBOM for application profiles

1. Complete at least one of these Veracode SCA scan types in the last 13 months:

   • Policy scan
   • Sandbox scan that you have promoted to a policy scan
   • Agent-based scan that you have linked to the application for which you are creating the SBOM.

2. Return the application GUID from the Applications API by running:

   http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v1/applications?name={applicationName}"

3. Return the SBOM that contains your SCA upload scan results by running:

   http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=application"

   When the type parameter is set to application, which is the default value, the API will retrieve data from your latest Veracode SCA policy scans.

4. Optionally, return an SBOM that contains SCA agent-based scan results that are linked to your application by setting the linked parameter to true:

   http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=application&linked=true"

5. Optionally, return an SBOM that excludes vulnerabilities by setting the vulnerability parameter to false:

   http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=application&vulnerability=false"

   The default value for the vulnerability parameter is true, so SBOMs include vulnerability information if this parameter is not set.

Create an SBOM for agent-based projects

1. Complete at least one Veracode SCA agent-based scan in the last 13 months.

2. Return the list of GUIDs for your workspaces by running:

   http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/v3/workspaces"

3. Return the list of project GUIDs for the workspace by running:

   http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/v3/workspaces/{workspaceGuid}/projects"

   When the type parameter is set to application, which is the default value, the API retrieves data from your latest Veracode SCA policy scans.

4. Return the SBOM that contains your SCA agent-based scan results for your project by running:

   http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{projectGuid}/cyclonedx?type=agent"

   The default value for the type parameter is application, but when it is set to agent, the API retrieves data from the latest SCA agent-based scan for your project.

5. Optionally, return an SBOM that excludes vulnerabilities by setting the vulnerability parameter to false:

   http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=agent&vulnerability=false"

   The default value for the vulnerability parameter is true, so SBOMs include vulnerability information if this parameter is not set.

SBOM API specification

Specifications for the CycloneDx SBOM API and the SPDX SBOM API are available on SwaggerHub.