Uploading Software Bill of Materials files using a REST API

  • Release version: Xanadu
  • Updated January 17, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Uploading Software Bill of Materials files using a REST API

    This guide provides essential information for ServiceNow customers on how to upload Software Bill of Materials (SBOM) files using the REST API. The process requires thesnsbomcore.sbomingestrole and supports various formats like CycloneDX and SPDX. It is crucial to note that files exceeding 32 MB may not load correctly.

    Show full answer Show less

    Key Features

    • Upload API: Use the POST method at /api/sbom/core/upload to submit SBOM files.
    • Status API: Check the status of SBOM uploads with the GET method at /api/sbom/core/upload/status.
    • Request Parameters: Various optional parameters can be included, such as productModelId, businessApplicationId, and requestedBy. For requestedBy set to "devops," additional parameters like buildId and lifecycleStage are mandatory.
    • Data Handling: Upon successful upload, the API returns a bomRecordId and status message.
    • Component Types: Uploaded components are categorized as BOM Entities, with libraries considered third-party components.

    Key Outcomes

    Once the SBOM file is uploaded and processed, users can view the records in the SBOM Ingestion Status list or the SBOM Core module. The API also supports enhanced SBOM standards, enabling the import of additional metadata and vulnerability information based on the CycloneDX specifications. This streamlines the management of software components and vulnerabilities, providing valuable insights into your software environment.

    Review the following information prior to uploading Software Bill of Materials files using an API.

    Using the REST API

    To upload an SBOM file with an API, the sn_sbom_core.sbom_ingest role is required.

    Upload API.

    This API is used for uploading and ingesting an SBOM file (CycloneDX/SPDX) into your instance.

    Version 4.0 of SBOM Core supports:
    • XML and JSON in CycloneDx (versions 1.0 - 1.6).
    • JSON in SPDX (versions 2.2-2.3)
    • Note:
      Files over 32 MB might not load properly.

    HTTP method: (POST)

    API URL: <host_name>/api/sbom/core/upload
    Note:
    <host_name> is your ServiceNow instance name.
    All below request parameters are optional; the request body is the SBOM file content. If you are using DevOps as part of your development process, the value of 'requestedBy' should be 'devops'. See Uploading Software Bill of Materials for DevOps SBOM files for more general information about DevOps. If the value for 'requestedby' is "devops" (devlopment operations), these parameters are mandatory:
    • buildId
    • lifecycleStage
    In addition, if 'requestedBy' is 'devops', data for fetchVulenrabilityInfo, and fetchPackageInfo is included.
    • buildId- string you send
    • lifecycleStage- two values, production or pre_production
    • fetchVulenrabilityInfo- t/f
    • fetchPackageInfo-t/f
    Request parameters Possible values Description
    productModelId Sys id Sys id of product model to map with the root application of given SBOM.
    businessApplicationId Sys id Sys id of business application to map with the root application of given SBOM.
    businessApplicationName (deprecated) Your business application name Name of business application to map with the root application of given SBOM.
    sbomSource A product such as Veracode, for example The source for your SBOM file.
    requestedBy A tool, or name of a methodology, Jenkins. If you use "devops", buildId and lifecycleStage are mandatory. Upload requested by
    buildId A string requester sends. Build ID of the SBOM build.
    lifecycleStage production or pre_production Life cycle stage of the entity.
    fetchVulenrabilityInfo t/f If true, triggers vulnerability intelligence integration.
    fetchPackage Info t/f If true, triggers package intelligence integration.
    Upload API Response: included 'status' success/fail, 'message' (string), 'bomRecordId' (this is the sys id of the SBOM that is returned through the upload API for a successful SBOM upload).
    {

"result": {

"status": "success",

"message": "Queued for processing.",

"bomRecordId": "f207059b4393c290629aa597cbb8f247"

}

}

    Status API

    This API gets the status and summary of an SBOM that Is queued for ingestion.
    • API URL: /api/sbom/core/upload/status
    • HTTP method (GET)
    Request parameters Possible values Description
    bomRecordId Sys id SBOM record ID that is returned the through the upload API for a successful SBOM upload.

    Status API default response example.

    
{
   "result": {
      "bomRecordId": "0407c0fea3e70a505df340f5251e617e",
      "uploadStatus": "processed",
      "additionalInfoStatus": "not_requested",
      "uploadSummary": {
         "components": {
            "added": 0,
            "removed": 0,
            "total": 70
         }
       }
    } 
}

    Status API response with additional parameters example. If you requested fetchVulenrabilityInfo for that SBOM, you get the vulnerability breakdown as part of the response.

    
{
 "result": {

  "bomRecordId": "93af349b4393c290629aa597cbb8f258",

  "uploadStatus": "processed",

  "additionalInfoStatus": "complete",

  "uploadSummary": {

    "components": {
 
     "added": 0,

     "removed": 0,

     "total": 3

   },

   "vulnerabilityInfo": {

    "critical": 0,

    "high": 0,

    "medium": 0,

    "low": 0,

    "none": 0

   }

  },

  "buildId": "1"

 }

}

    If you requested fetchPackageInfo for that SBOM, you get stale and abandoned counts as part of the response.

    After an SBOM is successfully processed, where you view the uploaded records depends on the applications you’re using.

    • If you’re using SBOM Response, the BOM Entity record is displayed on the SBOM Ingestion Status list in the BOM Queue module in the SBOM Workspace.
    • If you’re using SBOM Core, navigate to SBOM Core > BOM Ingestion Status.

    Enhancements to supported SBOM standards and general usage information

    Version 4.0 of SBOM Core supports:
    • XML and JSON in CycloneDx (versions 1.0 - 1.6).
    • JSON in SPDX (versions 2.2-2.3)
    • Note:
      Files over 32 MB might not load properly.
    Starting with v4.0 of SBOM Core, the following enhancements were made to support CycloneDx standards for versions 1.0 - 1.6:
    • Import additional information in CycloneDX SBOM files with the (sn_sbom_core.collect_properties) property. This property is deactivated by default. Activate the property to import information that is generally not supported. Any information imported from these properties is uploaded to the SBOM Component Property [sn_sbom_comp_property] table for the following:
      • Uploaded SBOM files
      • Metadata
      • Individual vulnerabilities
      • Components
    • View imported component data for declared and concluded licenses for SBOM files in versions 1.4 and later of CycloneDX in two new license fields:
      • Declared
      • Concluded
    • SBOM parsing support is extended for the following CycloneDX component types:
      • Version 1.5: Platform, Data, Device driver, Machine Learning model
      • Version 1.6: Cryptographic
    Version 3.0 of SBOM Core supports:
    • XML and JSON in CycloneDx (up to and including version 1.4).
    • JSON in SPDX (up to and including v2.3).

    If the calling user is successfully authenticated and has the sn_sbom_core.sbom_ingest role in your ServiceNow instance, you can access the API from outside of your instance to upload the SBOM data.

    After data is uploaded, it is parsed. Before data is parsed, the following requirements are verified:

    • Incoming data is checked that it is valid JSON or XML.
    • The BOM format is supported. Starting with v2.1 of SBOM Core, CycloneDX (JSON and XML) and SPDX (XML) formats are supported.
    • The minimum fields are available so that data can be parsed.

    After these checks are verified, an entry is made into the Bill of Materials [sn_sbom_doc] table with incoming SBOM data as an attachment.

    The Process BOM file business rule is triggered automatically as a result of the record insertion and data parsing.
    Note:
    This business rule is activated during installation of SBOM Core by default.

    All the components listed in an SBOM have a defined type.

    • Components for which SBOM files were uploaded are considered BOM Entities.
    • Components listed as type=library are considered third-party components.