Software bill of materials (SBOM)

A Software Bill of Materials (SBOM) might be required for compliance with government security regulations.

You can generate an SBOM through Contrast, through a simple API, or with a command through the Contrast command line interface (CLI).

The Contrast SBOM meets the specifications of the OWASP's CycloneDX SBOM standard and contains information about the software that your application uses including:

  • Libraries - Open source and third-party components present in a codebase

  • Licenses that govern the software components

  • Versions of software components used in the codebase

Before you begin

  • A Contrast SCA license is required

  • Supported languages: Java, .NET Framework, .NET Core, Node.js, Python, Ruby, Go, PHP

Steps

There are three options for generating an SBOM report.

  1. To generate a report with Contrast:

    1. Select Applications in the header.

    2. Select the Reports icon (ReportsIcon.png ) located at the top of the application's list.

    3. In the dropdown, select Generate Software Bill Of Materials (SBOM) to generate and download a copy of the SBOM.

  2. To generate a report with API:

    1. Make a GET<HOST>/Contrast/api/ng/<ORG_ID>/applications/<APP_ID>/libraries/sbom/cyclonedx request. See icon-external-link.svgREST API for more information about using APIs.

  3. To generate a report with CLI:

    1. Use the --sbom command. See CLI commands for more information.