OPEN FOSSA APP

Import SBOMs

Suggest Edits

πŸ‘

Enterprise Feature

This feature is only available in a FOSSA Enterprise subscription. Contact [email protected] for more details.

New SBOM Import

Once logged in, you are ready to import your SBOM project(s).
From the Add Projects page, you have the option to Import SBOM(CycloneDX, SPDX)

πŸ“˜

TIP

Imports must be compliant to:

  • CycloneDX specification v1.2 , v1.3 , v1.4, v1.5
  • SPDX 2.2+ , 2.3
    • For SPDX there are two requirements:
      • a DESCRIBES relationshipType in the relationships section for the top-level project
      • the DEPENDS_ON or DEPENDENCY_OF relationshipTypes in the relationships section

in JSON or XML formats

Next, select Add Files and select your desired SBOM file (.json or .xml) to import

πŸ“˜

Tip

Bulk import is supported, select as many files as desired

Add a unique name and applicable semantic version number

🚧

Note

Providing an existing SBOM project name will add the SBOM as the latest revision to the existing SBOM project.

Once uploading and analyzing the file is complete you will see your SBOM appear in your Projects list

1630

Project List

πŸ“˜

Tip

Notice all SBOM projects will have the SBOM icon denoted next to them

Importing SBOMs via API

There are two ways to upload an SBOM project to FOSSA.
First, you can use the normal web UI flow.
The UI will ask you to upload a file and fill in its project name and revision.

Alternatively, if you need to automate that process, you can use our API.

In Short

To use the FOSSA API, as opposed to the UI, to upload SBOMs, a user needs to do the following:

  1. Get a signed URL from the /api/components/signed_url endpoint.
  2. POST an SBOM to that URL within 5 minutes of receiving it, before it expires.

Getting the Signed URL

The GET /api/components/signed_url endpoint lets API users retrieve a cloud storage location to which they can push data via the FOSSA API.
That looks something like:

% curl 'app.fossa.io/api/components/signed_url?packageSpec=<an SBOM package/file name>&revision=<a SHA hash, a version number, the state of the project>&fileType=sbom' --header "Authorization: Bearer $FOSSA_TOKEN"


{"signedUrl":"<a signed cloud storage URL valid for 5 minutes>"}

Using the Signed URL

Once you have a signed URL, you'll need to use it to trigger a build, like so:

% curl 'http://app.fossa.com/api/components/build?fileType=sbom'
-X POST \
-H 'content-type: application/json' \
-H 'Authorization: Bearer <token>' \
-d '{"selectedTeams":[],"archives":[{"packageSpec":"Distro cyclonedx","revision":"1720986640007","fileType":"sbom"}]}'

Assuming everything goes well, you'll get a 201 Created back.

Updated 11 days ago