Documentation
OPEN FOSSA APP

Import SBOMs

Suggest Edits

👍

Enterprise Feature

This feature is only available in a FOSSA Enterprise subscription. Contact [email protected] for more details.

New SBOM Import

Once logged in, you are ready to import your SBOM project(s).
From the Add Projects page, you have the option to Import SBOM(CycloneDX, SPDX)

📘

TIP

Imports must be compliant to:

  • CycloneDX specification v1.2 , v1.3 , v1.4, v1.5
  • SPDX 2.2+ , 2.3
    • For SPDX there are two requirements:
      • a DESCRIBES relationshipType in the relationships section for the top-level project
      • the DEPENDS_ON or DEPENDENCY_OF relationshipTypes in the relationships section

in JSON or XML formats

Next, select Add Files and select your desired SBOM file (.json or .xml) to import

📘

Tip

Bulk import is supported, select as many files as desired

Add a unique name and applicable semantic version number

🚧

Note

Providing an existing SBOM project name will add the SBOM as the latest revision to the existing SBOM project.

Once uploading and analyzing the file is complete you will see your SBOM appear in your Projects list

1630

Project List

📘

Tip

Notice all SBOM projects will have the SBOM icon denoted next to them

Importing SBOMs via API

There are two ways to upload an SBOM project to FOSSA.
First, you can use the normal web UI flow.
The UI will ask you to upload a file and fill in its project name and revision.

Alternatively, if you need to automate that process, you can use our API.

In Short

To use the FOSSA API, as opposed to the UI, to upload SBOMs, a user needs to do the following:

  1. Get a signed URL from the /api/components/signed_url endpoint.
  2. PUT an SBOM file to that URL within 5 minutes of receiving it, before it expires.
  3. POST back to /api/components/build to kick off the SBOM build in FOSSA.

Getting the Signed URL

The GET /api/components/signed_url endpoint lets API users retrieve a cloud storage location to which they can push data via the FOSSA API.
That looks something like:

% curl 'app.fossa.com/api/components/signed_url?packageSpec=<an SBOM package/file name>&revision=<a SHA hash, a version number, the state of the project>&fileType=sbom' --header "Authorization: Bearer $FOSSA_TOKEN"


{"signedUrl":"<a signed cloud storage URL valid for 5 minutes>"}

Using the Signed URL

Once you have a signed URL, you'll need to PUT your SBOM to cloud storage.

That looks something like:

curl '<an exceedingly long signed URL>' \
-X PUT \
-H 'Accept: */*' \
-H 'Accept-Encoding: gzip, deflate, br, zstd' \
-H 'Content-Type: binary/octet-stream' \
-H 'Content-Length: <file size>'
-T '<some file>'

Triggering the Build

Having done so, you'll need to use it to trigger a build, like so:

% curl 'http://app.fossa.com/api/components/build?fileType=sbom'
-X POST \
-H 'content-type: application/json' \
-H 'Authorization: Bearer <token>' \
-d '{"selectedTeams":[],"archives":[{"packageSpec":"<the SBOM package/file spec from your earlier GET request to /api/components/signed_url>","revision":"<the revision you used in that GET>","fileType":"sbom"}]}'

Assuming everything goes well, you'll get a 201 Created back.

Updated 2 months ago