SBOM Import

Import a CycloneDX or SPDX SBOM to run license and security compliance checks against its listed components.

3 min readUpdated Jul 9, 2026

Overview

Import an existing SBOM (CycloneDX or SPDX) so FOSSA can run license and security compliance checks against the components it lists, useful for analyzing software you don't build yourself.

Import from the UI

  1. 1

    Choose Import SBOM

    From the Add Projects page, select Import SBOM (CycloneDX, SPDX).

    The Import SBOM option on the Add Projects page

    Note

    Imports must comply with:

    • CycloneDX 1.2, 1.3, 1.4, 1.5, 1.6, in JSON or XML.
    • SPDX 2.2+, 2.3; requires a DESCRIBES relationship for the top-level project and DEPENDS_ON / DEPENDENCY_OF relationships, in JSON only. SPDX XML is not supported.
  2. 2

    Add your files

    Select Add Files and choose the SBOM file (.json or .xml). Bulk import is supported. Select as many files as you need.

    SBOM Upload wizard showing the file drop zone
  3. 3

    Name the project and set a version

    Add a unique name and a semantic version number.

    SBOM Upload wizard with a file loaded, showing the Project Name and Revision fields
  4. 4

    Review in your project list

    When upload and analysis finish, the SBOM appears in Projects, marked with the SBOM icon.

    SBOM projects in the Projects list with the SBOM import filter applied

Warning

Importing under an existing SBOM project name adds the upload as the latest revision of that project rather than creating a new one.

Import via the API

To automate imports, use the API instead of the UI. There are two steps: get a signed upload URL, then trigger a build.

  1. 1

    Get a signed URL

    GET /api/components/signed_url returns a pre-signed cloud-storage URL. It is valid for 5 minutes.

    curl -X GET "https://app.fossa.com/api/components/signed_url" \  --data-urlencode "packageSpec=<SBOM_package_or_file_name>" \  --data-urlencode "revision=<SHA_hash_or_version>" \  --data-urlencode "fileType=sbom" \  -H "Authorization: Bearer $FOSSA_TOKEN"
  2. 2

    Upload, then trigger a build

    POST your SBOM to the signed URL within 5 minutes, then call POST /api/components/build?fileType=sbom to start analysis. A successful build returns 201 Created.

    curl -X POST "https://app.fossa.com/api/components/build?fileType=sbom" \  -H "Content-Type: application/json" \  -H "Authorization: Bearer <token>" \  -d '{"selectedTeams":[],"archives":[{"packageSpec":"Distro cyclonedx","revision":"123456789","fileType":"sbom"}]}'
© 2026 FOSSA, Inc.support@fossa.com