Import SBOMs
Enterprise Feature
This feature is only available in a FOSSA Enterprise subscription. Contact [email protected] for more details.
New SBOM Import
Once logged in, you are ready to import your SBOM project(s).
From the Add Projects page, you have the option to Import SBOM(CycloneDX, SPDX)
TIP
Imports must be compliant to:
- CycloneDX specification v1.2 , v1.3 , v1.4, v1.5 , v1.6
- SPDX 2.2+ , 2.3
- For SPDX there are two requirements:
- a
DESCRIBES
relationshipType in the relationships section for the top-level project- the
DEPENDS_ON
orDEPENDENCY_OF
relationshipTypes in the relationships sectionin JSON or XML formats
Next, select Add Files
and select your desired SBOM file (.json or .xml) to import
Tip
Bulk import is supported, select as many files as desired
Add a unique name and applicable semantic version number
Note
Providing an existing SBOM project name will add the SBOM as the latest revision to the existing SBOM project.
Once uploading and analyzing the file is complete you will see your SBOM appear in your Projects list
Tip
Notice all SBOM projects will have the SBOM icon denoted next to them
Importing SBOMs via API
There are two ways to upload an SBOM project to FOSSA.
First, you can use the normal web UI flow.
The UI will ask you to upload a file and fill in its project name and revision.
Alternatively, if you need to automate that process, you can use our API.
In Short
To use the FOSSA API, as opposed to the UI, to upload SBOMs, a user needs to do the following:
- Get a signed URL from the
/api/components/signed_url
endpoint. PUT
an SBOM file to that URL within 90 minutes of receiving it, before it expires.POST
back to/api/components/build
to kick off the SBOM build in FOSSA.
Getting the Signed URL
The GET /api/components/signed_url
endpoint lets API users retrieve a cloud storage location to which they can push data via the FOSSA API.
That looks something like:
% curl 'app.fossa.com/api/components/signed_url?packageSpec=<an SBOM package/file name>&revision=<a SHA hash, a version number, the state of the project>&fileType=sbom' --header "Authorization: Bearer $FOSSA_TOKEN"
{"signedUrl":"<a signed cloud storage URL valid for 90 minutes>"}
Using the Signed URL
Once you have a signed URL, you'll need to PUT
your SBOM to cloud storage.
That looks something like:
curl '<an exceedingly long signed URL>' \
-X PUT \
-H 'Accept: */*' \
-H 'Accept-Encoding: gzip, deflate, br, zstd' \
-H 'Content-Type: binary/octet-stream' \
--data-binary '<some file in .json or .xml format>'
Triggering the Build
Having done so, you'll need to use it to trigger a build, like so:
% curl 'https://app.fossa.com/api/components/build?fileType=sbom' \
-X POST \
-H 'content-type: application/json' \
-H 'Authorization: Bearer <token>' \
-d '{"selectedTeams":[],"archives":[{"packageSpec":"<the SBOM package/file spec from your earlier GET request to /api/components/signed_url>","revision":"<the revision you used in that GET>","fileType":"sbom"}]}'
Assuming everything goes well, you'll get a 201 Created
back.
You can view the full list of supported options for /components/build
on our docs page:
Updated 24 days ago