Software bill of materials (SBOM)

A Software Bill of Materials (SBOM) might be required for compliance with government security regulations.

You can generate an SBOM through Contrast, through a simple API, or with a command through the Contrast command line interface (CLI).

The Contrast SBOM meets the specifications of the OWASP's CycloneDX SBOM standard and the international open SPDX standard. It contains information about the software that your application uses including:

• Libraries - Open source and third-party components present in a codebase

• Licenses that govern the software components

• Versions of software components used in the codebase

Before you begin

• A Contrast SCA license is required

• Supported languages: Java, .NET Framework, .NET Core, Node.js, Python, Ruby, Go, PHP

Steps

There are three options for generating an SBOM report.

1. To generate a report with Contrast:

1. Select Applications in the header.

2. Select the Reports icon ( ) located at the top of the application's list.

3. In the dropdown, select Generate Software Bill Of Materials (SBOM) to generate and download a copy of the SBOM. Supports CycloneDx and SPDX standards.

2. To generate a report with API:

1. For CycloneDX: Make a GET<HOST>/Contrast/api/ng/<ORG_ID>/applications/<APP_ID>/libraries/sbom/cyclonedx request.

2. For SPDX: Make a GET<HOST>/Contrast/api/ng/<ORG_ID>/applications/<APP_ID>/libraries/sbom/spdx request.

1. Use the --sbom command. Note that .NET support is currently limited for CLI. See CLI commands for more information.