Uploading Software Bill of Materials files using a REST API

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Uploading Software Bill of Materials files using a REST API

    This guide explains how ServiceNow customers can upload Software Bill of Materials (SBOM) files via a REST API in the Yokohama release. The API supports ingesting SBOM files in CycloneDX (XML/JSON) and SPDX (JSON) formats, enabling integration of SBOM data into your ServiceNow instance for vulnerability and package intelligence management.

    Show full answer Show less

    Key Features

    • API Access and Permissions: Requires the snsbomcore.sbomingest role for uploading SBOM files.
    • Supported Formats: CycloneDX versions 1.0–1.6 (XML and JSON) and SPDX versions 2.2–2.3 (JSON).
    • Upload API: Uses HTTP POST to /api/sbom/core/upload with optional parameters such as productModelId, businessApplicationId, sbomSource, and requestedBy. The request body contains the SBOM file content.
    • DevOps Integration: When requestedBy is set to "devops," the parameters buildId and lifecycleStage (production or preproduction) are mandatory, and vulnerability/package information fetch flags can be enabled.
    • File Size Limitation: Files larger than 32 MB may not load correctly.
    • Status API: HTTP GET on /api/sbom/core/upload/status provides the ingestion status and summary of an uploaded SBOM using the returned bomRecordId.
    • Enhanced SBOM Support: Version 4.0 adds support for additional CycloneDX component types, declared/concluded license fields, and optional import of extra properties via a configurable system property.

    Practical Usage and Outcomes

    • After uploading, SBOM files are validated (JSON/XML format, supported BOM format, required fields), then parsed and stored in the Bill of Materials [snsbomdoc] table as attachments.
    • The ingestion status API allows real-time tracking of processing, including details on components added/removed and vulnerability/package intelligence when requested.
    • Uploaded SBOM data can be viewed in the SBOM Workspace modules such as BOM Queue or BOM Ingestion Status, depending on the installed applications.
    • Integration with vulnerability and package intelligence provides actionable insights for third-party component risk management.

    Additional Notes

    • The SBOM Core business rule Process BOM file automatically triggers parsing upon upload.
    • SBOM components are classified by type; 'library' components denote third-party elements.
    • Customers can leverage this REST API to automate continuous SBOM ingestion as part of their DevOps pipelines or broader software supply chain management practices.

    Review the following information prior to uploading Software Bill of Materials files using an API.

    Using the REST API

    To upload an SBOM file with an API, the sn_sbom_core.sbom_ingest role is required.

    Upload API.

    This API is used for uploading and ingesting an SBOM file (CycloneDX/SPDX) into your instance.

    Version 4.0 of SBOM Core supports:
    • XML and JSON in CycloneDx (versions 1.0 - 1.6).
    • JSON in SPDX (versions 2.2-2.3)
    • Note:
      Files over 32 MB might not load properly.

    HTTP method: (POST)

    API URL: <host_name>/api/sbom/core/upload
    Note:
    <host_name> is your ServiceNow instance name.
    All below request parameters are optional; the request body is the SBOM file content. If you are using DevOps as part of your development process, the value of 'requestedBy' should be 'devops'. See Uploading Software Bill of Materials for DevOps SBOM files for more general information about DevOps. If the value for 'requestedby' is "devops" (devlopment operations), these parameters are mandatory:
    • buildId
    • lifecycleStage
    In addition, if 'requestedBy' is 'devops', data for fetchVulenrabilityInfo, and fetchPackageInfo is included.
    • buildId- string you send
    • lifecycleStage- two values, production or pre_production
    • fetchVulenrabilityInfo- t/f
    • fetchPackageInfo-t/f
    Request parameters Possible values Description
    productModelId Sys id Sys id of product model to map with the root application of given SBOM.
    businessApplicationId Sys id Sys id of business application to map with the root application of given SBOM.
    businessApplicationName (deprecated) Your business application name Name of business application to map with the root application of given SBOM.
    sbomSource A product such as Veracode, for example The source for your SBOM file.
    requestedBy A tool, or name of a methodology, Jenkins. If you use "devops", buildId and lifecycleStage are mandatory. Upload requested by
    buildId A string requester sends. Build ID of the SBOM build.
    lifecycleStage production or pre_production Life cycle stage of the entity.
    fetchVulenrabilityInfo t/f If true, triggers vulnerability intelligence integration.
    fetchPackage Info t/f If true, triggers package intelligence integration.
    Upload API Response: included 'status' success/fail, 'message' (string), 'bomRecordId' (this is the sys id of the SBOM that is returned through the upload API for a successful SBOM upload).
    {

"result": {

"status": "success",

"message": "Queued for processing.",

"bomRecordId": "f207059b4393c290629aa597cbb8f247"

}

}

    Status API

    This API gets the status and summary of an SBOM that Is queued for ingestion.
    • API URL: /api/sbom/core/upload/status
    • HTTP method (GET)
    Request parameters Possible values Description
    bomRecordId Sys id SBOM record ID that is returned the through the upload API for a successful SBOM upload.

    Status API default response example.

    
{
   "result": {
      "bomRecordId": "0407c0fea3e70a505df340f5251e617e",
      "uploadStatus": "processed",
      "additionalInfoStatus": "not_requested",
      "uploadSummary": {
         "components": {
            "added": 0,
            "removed": 0,
            "total": 70
         }
       }
    } 
}

    Status API response with additional parameters example. If you requested fetchVulenrabilityInfo for that SBOM, you get the vulnerability breakdown as part of the response.

    
{
 "result": {

  "bomRecordId": "93af349b4393c290629aa597cbb8f258",

  "uploadStatus": "processed",

  "additionalInfoStatus": "complete",

  "uploadSummary": {

    "components": {
 
     "added": 0,

     "removed": 0,

     "total": 3

   },

   "vulnerabilityInfo": {

    "critical": 0,

    "high": 0,

    "medium": 0,

    "low": 0,

    "none": 0

   }

  },

  "buildId": "1"

 }

}

    If you requested fetchPackageInfo for that SBOM, you get stale and abandoned counts as part of the response.

    After an SBOM is successfully processed, where you view the uploaded records depends on the applications you’re using.

    • If you’re using SBOM Response, the BOM Entity record is displayed on the SBOM Ingestion Status list in the BOM Queue module in the SBOM Workspace.
    • If you’re using SBOM Core, navigate to SBOM Core > BOM Ingestion Status.

    Enhancements to supported SBOM standards and general usage information

    Version 4.0 of SBOM Core supports:
    • XML and JSON in CycloneDx (versions 1.0 - 1.6).
    • JSON in SPDX (versions 2.2-2.3)
    • Note:
      Files over 32 MB might not load properly.
    Starting with v4.0 of SBOM Core, the following enhancements were made to support CycloneDx standards for versions 1.0 - 1.6:
    • Import additional information in CycloneDX SBOM files with the (sn_sbom_core.collect_properties) property. This property is deactivated by default. Activate the property to import information that is generally not supported. Any information imported from these properties is uploaded to the SBOM Component Property [sn_sbom_comp_property] table for the following:
      • Uploaded SBOM files
      • Metadata
      • Individual vulnerabilities
      • Components
    • View imported component data for declared and concluded licenses for SBOM files in versions 1.4 and later of CycloneDX in two new license fields:
      • Declared
      • Concluded
    • SBOM parsing support is extended for the following CycloneDX component types:
      • Version 1.5: Platform, Data, Device driver, Machine Learning model
      • Version 1.6: Cryptographic
    Version 3.0 of SBOM Core supports:
    • XML and JSON in CycloneDx (up to and including version 1.4).
    • JSON in SPDX (up to and including v2.3).

    If the calling user is successfully authenticated and has the sn_sbom_core.sbom_ingest role in your ServiceNow instance, you can access the API from outside of your instance to upload the SBOM data.

    After data is uploaded, it is parsed. Before data is parsed, the following requirements are verified:

    • Incoming data is checked that it is valid JSON or XML.
    • The BOM format is supported. Starting with v2.1 of SBOM Core, CycloneDX (JSON and XML) and SPDX (XML) formats are supported.
    • The minimum fields are available so that data can be parsed.

    After these checks are verified, an entry is made into the Bill of Materials [sn_sbom_doc] table with incoming SBOM data as an attachment.

    The Process BOM file business rule is triggered automatically as a result of the record insertion and data parsing.
    Note:
    This business rule is activated during installation of SBOM Core by default.

    All the components listed in an SBOM have a defined type.

    • Components for which SBOM files were uploaded are considered BOM Entities.
    • Components listed as type=library are considered third-party components.