Software Bill of Materials (SBOM) report

A software Bill of Materials (SBOM) is a list of all the open source and third-party components present in a codebase. An SBOM also lists the licenses that govern those components, the versions of the components used in the codebase, and their patch status, which allows security teams to quickly identify any associated security or license risks. See the individual SPDX and CycloneDX mapping entries for additional details on fields found in their SBOM reports.

You can export your SBOM report for a specific project version. SBOM reports can also be used to import project information into Black Duck.

To run a Software Bill of Materials report at the project version level:

  1. Select the project name using the Watching or My Projects dashboard. The Project Name page appears.

  2. Select the version of the project for which you want to run the report.

  3. Select the Reports tab.

  4. Click + Create New Report and select Software Bill of Materials (SBOM).

  5. Select a SBOM template from the Template dropdown menu. The default SBOM template will automatically be selected, but can be changed if desired.

  6. Select the desired SBOM type:
  7. Select the desired Report Format:

    • JSON (CycloneDX SBOM reports only support this format)

    • YAML

    • RDF

    • tag:value

  8. Optionally, you can expand the Template Details to see the fields included in the selected SBOM template.

  9. Click Create to run the report.

  10. Click the link to download and view the report.

Note: If the Don't generate SBOM reports for projects with policy violations option has been enabled for this project's group and the project has policy violations, the option to generation a SBOM report will be disabled.