Skip to main content

Software bill of materials (SBOM)

A Software Bill of Materials (SBOM) might be required for compliance with government security regulations.

You can generate an SBOM through Contrast, through a simple API, or with a command through the Contrast command line interface (CLI).

The Contrast SBOM meets the specifications of the OWASP's CycloneDX SBOM standard and the international open SPDX standard. It contains information about the software that your application uses including:

  • Libraries - Open source and third-party components present in a codebase

  • Licenses that govern the software components

  • Versions of software components used in the codebase


Currently supports CycloneDX v1.4 and SPDX 2.2.

The Contrast SBOM also meets the requirements of the National Telecommunications and Information Administration (NTIA). It includes the author name, supplier name, component name and version, component relationship, timestamp and other unique identifiers like PURL and package SPDX identifier.

Before you begin

  • A Contrast Assess license is required for export via Contrast

  • Supported languages: Java, .NET Framework, .NET Core, Node.js, Python, Ruby, Go, PHP


There are three options for generating an SBOM report.

  1. To generate a report with Contrast:

    1. Select Applications in the header.

    2. Select the Reports icon (ReportsIcon.png ) located at the top of the application list.

    3. In the dropdown, select Generate Software Bill Of Materials (SBOM) to generate and download a copy of the SBOM. Supports CycloneDx and SPDX standards.

  2. To generate a report with API:

    1. For CycloneDX: Make a GET<HOST>/Contrast/api/ng/<ORG_ID>/applications/<APP_ID>/libraries/sbom/cyclonedx request.

    2. For SPDX: Make a GET<HOST>/Contrast/api/ng/<ORG_ID>/applications/<APP_ID>/libraries/sbom/spdx request.

    See icon-external-link.svgREST API for more information about using APIs.

  3. To generate a report with CLI:

    1. Use the --save command. Choose the type with --save cyclonedx or --save spdx. See CLI commands for more information.


      • .NET support is currently limited for CLI.

      • Use the CLI to generate the SBOM for static SCA results.

      • The SBOM generated via CLI will provide class usage information of the application the CLI is registered to that has library data.