Software Bill of Materials (SBOM)

To download the Software Bill of Materials (SBOM) visit the Dependencies page and open the SBOM drop-down (right next to the Search by name field). The generated SBOM document consists of currently available information that you can also find on the Dependencies page that you view.

You have several download options here (no batch download at this time):

• CycloneDX

  • JSON (machine-readable)
  • XML (machine-readable)
  • CSV (for muggles)

• SPDX

  • JSON (machine-readable)
  • XML (machine-readable)

The downloaded SBOM document will contain information, including but not limited to the name, version number, and CPE identifier for all software components, as you would expect. The document may also contain information regarding known vulnerabilities (except elements with Rejected status) of software components, including but not limited to the CVE identifier, CWE classification, and CVSS rating.

Note

Some file formats or representations will allow for more vulnerability information in the SBOM than others, we will add vulnerability metadata wherever possible. However, if you require vulnerability-related information in the SBOM, we currently recommend using the CycloneDX format.