Uploading Software Bill of Materials files using a REST API

Release version: Australia

Updated March 12, 2026

4 minutes to read

Summarize

Summarized using AI

Summary of Uploading Software Bill of Materials files using a REST API

Uploading Software Bill of Materials (SBOM) files via the REST API requires thesnsbomcore.sbomingestrole. This API allows you to ingest SBOM files in CycloneDX and SPDX formats into your ServiceNow instance.

Show full answer Show less

Key Features

Supported Formats: Version 4.0 supports CycloneDX (XML and JSON, versions 1.0 - 1.6) and SPDX (JSON, versions 2.2 - 2.3).
Upload API: Use the POST method at /api/sbom/core/upload to submit your SBOM file. Files larger than 32 MB may not upload correctly.
Parameters: While most parameters are optional, if the requestedBy value is "devops," you must provide buildId and lifecycleStage.
Status API: Use GET method at /api/sbom/core/upload/status to check the status of an SBOM upload, including processing information and vulnerability breakdown if requested.

Key Outcomes

Upon successful upload, you will receive a bomRecordId that can be used to track the status of the SBOM. If parameters for vulnerability or package information are included, additional data will be returned regarding vulnerabilities and package states. Successfully processed SBOMs can be viewed in the SBOM Ingestion Status list or the SBOM Core module, depending on your setup.

Review the following information prior to uploading Software Bill of Materials files using an API.

Using the REST API

To upload an SBOM file with an API, the sn_sbom_core.sbom_ingest role is required.

Upload API.

This API is used for uploading and ingesting an SBOM file (CycloneDX/SPDX) into your instance.

Version 4.0 of SBOM Core supports:

XML and JSON in CycloneDx (versions 1.0 - 1.6).
JSON in SPDX (versions 2.2-2.3)
Note:
Files over 32 MB might not load properly.

HTTP method: (POST)

API URL: <host_name>/api/sbom/core/upload

Note:

<host_name> is your ServiceNow instance name.

All below request parameters are optional; the request body is the SBOM file content. If you are using DevOps as part of your development process, the value of 'requestedBy' should be 'devops'. See Uploading Software Bill of Materials for DevOps SBOM files for more general information about DevOps. If the value for 'requestedby' is "devops" (devlopment operations), these parameters are mandatory:

buildId
lifecycleStage

In addition, if 'requestedBy' is 'devops', data for fetchVulenrabilityInfo, and fetchPackageInfo is included.

buildId- string you send
lifecycleStage- two values, production or pre_production
fetchVulenrabilityInfo- t/f
fetchPackageInfo-t/f


Request parameters	Possible values	Description
productModelId	Sys id	Sys id of product model to map with the root application of given SBOM.
businessApplicationId	Sys id	Sys id of business application to map with the root application of given SBOM.
businessApplicationName (deprecated)	Your business application name	Name of business application to map with the root application of given SBOM.
sbomSource	A product such as Veracode, for example	The source for your SBOM file.
requestedBy	A tool, or name of a methodology, Jenkins. If you use "devops", buildId and lifecycleStage are mandatory.	Upload requested by
buildId	A string requester sends.	Build ID of the SBOM build.
lifecycleStage	production or pre_production	Life cycle stage of the entity.
fetchVulenrabilityInfo	t/f	If true, triggers vulnerability intelligence integration.
fetchPackage Info	t/f	If true, triggers package intelligence integration.

Upload API Response: included 'status' success/fail, 'message' (string), 'bomRecordId' (this is the sys id of the SBOM that is returned through the upload API for a successful SBOM upload).

{

"result": {

"status": "success",

"message": "Queued for processing.",

"bomRecordId": "f207059b4393c290629aa597cbb8f247"

}

}

Status API

This API gets the status and summary of an SBOM that Is queued for ingestion.

API URL: /api/sbom/core/upload/status
HTTP method (GET)


Request parameters	Possible values	Description
bomRecordId	Sys id	SBOM record ID that is returned the through the upload API for a successful SBOM upload.

Status API default response example.


{
   "result": {
      "bomRecordId": "0407c0fea3e70a505df340f5251e617e",
      "uploadStatus": "processed",
      "additionalInfoStatus": "not_requested",
      "uploadSummary": {
         "components": {
            "added": 0,
            "removed": 0,
            "total": 70
         }
       }
    } 
}

Status API response with additional parameters example. If you requested fetchVulenrabilityInfo for that SBOM, you get the vulnerability breakdown as part of the response.


{
 "result": {

  "bomRecordId": "93af349b4393c290629aa597cbb8f258",

  "uploadStatus": "processed",

  "additionalInfoStatus": "complete",

  "uploadSummary": {

    "components": {
 
     "added": 0,

     "removed": 0,

     "total": 3

   },

   "vulnerabilityInfo": {

    "critical": 0,

    "high": 0,

    "medium": 0,

    "low": 0,

    "none": 0

   }

  },

  "buildId": "1"

 }

}

If you requested fetchPackageInfo for that SBOM, you get stale and abandoned counts as part of the response.

After an SBOM is successfully processed, where you view the uploaded records depends on the applications you’re using.

If you’re using SBOM Response, the BOM Entity record is displayed on the SBOM Ingestion Status list in the BOM Queue module in the SBOM Workspace.
If you’re using SBOM Core, navigate to SBOM Core > BOM Ingestion Status.

Enhancements to supported SBOM standards and general usage information

Version 4.0 of SBOM Core supports:

XML and JSON in CycloneDx (versions 1.0 - 1.6).
JSON in SPDX (versions 2.2-2.3)
Note:
Files over 32 MB might not load properly.

Starting with v4.0 of SBOM Core, the following enhancements were made to support CycloneDx standards for versions 1.0 - 1.6:

Import additional information in CycloneDX SBOM files with the (sn_sbom_core.collect_properties) property. This property is deactivated by default. Activate the property to import information that is generally not supported. Any information imported from these properties is uploaded to the SBOM Component Property [sn_sbom_comp_property] table for the following:
- Uploaded SBOM files
- Metadata
- Individual vulnerabilities
- Components
View imported component data for declared and concluded licenses for SBOM files in versions 1.4 and later of CycloneDX in two new license fields:
- Declared
- Concluded
SBOM parsing support is extended for the following CycloneDX component types:
- Version 1.5: Platform, Data, Device driver, Machine Learning model
- Version 1.6: Cryptographic

Version 3.0 of SBOM Core supports:

XML and JSON in CycloneDx (up to and including version 1.4).
JSON in SPDX (up to and including v2.3).

If the calling user is successfully authenticated and has the sn_sbom_core.sbom_ingest role in your ServiceNow instance, you can access the API from outside of your instance to upload the SBOM data.

After data is uploaded, it is parsed. Before data is parsed, the following requirements are verified:

Incoming data is checked that it is valid JSON or XML.
The BOM format is supported. Starting with v2.1 of SBOM Core, CycloneDX (JSON and XML) and SPDX (XML) formats are supported.
The minimum fields are available so that data can be parsed.

After these checks are verified, an entry is made into the Bill of Materials [sn_sbom_doc] table with incoming SBOM data as an attachment.

The Process BOM file business rule is triggered automatically as a result of the record insertion and data parsing.

Note:

This business rule is activated during installation of SBOM Core by default.

All the components listed in an SBOM have a defined type.

Components for which SBOM files were uploaded are considered BOM Entities.
Components listed as type=library are considered third-party components.