Documentation
OPEN FOSSA APP

Import SBOMs

Suggest Edits

👍

Enterprise Feature

This feature is only available in a FOSSA Enterprise subscription. Contact [email protected] for more details.

New SBOM Import

Once logged in, you are ready to import your SBOM project(s).
From the Add Projects page, you have the option to Import SBOM(CycloneDX, SPDX)

📘

TIP

Imports must be compliant to:

  • CycloneDX specification v1.2 , v1.3 , v1.4, v1.5 , v1.6
  • SPDX 2.2+ , 2.3
    • For SPDX there are two requirements:
      • a DESCRIBES relationshipType in the relationships section for the top-level project
      • the DEPENDS_ON or DEPENDENCY_OF relationshipTypes in the relationships section

in JSON or XML formats

Next, select Add Files and select your desired SBOM file (.json or .xml) to import

📘

Tip

Bulk import is supported, select as many files as desired

Add a unique name and applicable semantic version number

🚧

Note

Providing an existing SBOM project name will add the SBOM as the latest revision to the existing SBOM project.

Once uploading and analyzing the file is complete you will see your SBOM appear in your Projects list

1630

Project List

📘

Tip

Notice all SBOM projects will have the SBOM icon denoted next to them

Importing SBOMs via API

There are two ways to upload an SBOM project to FOSSA.
First, you can use the normal web UI flow.
The UI will ask you to upload a file and fill in its project name and revision.

Alternatively, if you need to automate that process, you can use our API.

In Short

To use the FOSSA API, as opposed to the UI, to upload SBOMs, a user needs to do the following:

  1. Get a signed URL from the /api/components/signed_url endpoint.
  2. POST an SBOM to that URL within 5 minutes of receiving it, before it expires.

Getting the Signed URL

The GET /api/components/signed_url endpoint provides API users with a pre-signed URL for cloud storage. This URL enables users to securely upload data to FOSSA's cloud storage. Please note that the signed URL that is returned is only valid for 5 minutes.

Request Example

To request a signed URL, use the following curl command:

curl -X GET "https://app.fossa.com/api/components/signed_url" \
     --data-urlencode "packageSpec=<SBOM_package_or_file_name>" \
     --data-urlencode "revision=<SHA_hash_or_version>" \
     --data-urlencode "fileType=sbom" \
     -H "Authorization: Bearer $FOSSA_TOKEN"

Using the Signed URL

The POST /api/components/build endpoint allows users to initiate a build process for a given SBOM (Software Bill of Materials) file. After you have uploaded the file to the signed URL, you'll then need to trigger a build.

Request Example

To trigger a build, use the following curl command:

curl -X POST "https://app.fossa.com/api/components/build?fileType=sbom" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer <token>" \
     -d '{
           "selectedTeams": [],
           "archives": [
             {
               "packageSpec": "Distro cyclonedx",
               "revision": "123456789",
               "fileType": "sbom"
             }
           ]
         }'

Assuming everything goes well, you'll get a 201 Created back.

Updated about 1 month ago

What’s Next