/apr 25, 2022

How to Generate an SBOM in Veracode SCA

By Saoirse Hinksmon

Emerging government regulations have driven the advancement of standards for securing software supply chains. The production of a Software Bill of Materials (SBOM) in a standard format is an increasing audit and compliance need for large organizations.

Having an SBOM can help 

  • Identify and avoid security risks
  • Understand and manage licensing risks

Veracode Software Composition Analysis (SCA) helps teams qualify and manage risks from software running in their environments, better plan and control their security program, and understand where risks may be as new security threats or new versions of software become available.

Generating an SBOM in Veracode SCA

Veracode SCA SBOM API will help your organization identify vulnerabilities and license risks and help you better understand what software is contained within your application.


The SBOM API response provides you with an inventory of the components within your application, including insight into the relationships that the various components have with each other and identifying which components are coming from third-party sources that make up the software supply chain. The SBOM API will return a response with your SBOM in CycloneDX JSON format, which is one of the approved formats for compliance with the U.S. Executive Order.


To generate the SBOM report for your application, you need to pass the application UUID to the API.

  1. Get application UUID by calling the application API: https://docs.veracode.com/r/r_applications_info 
    • Example of get application UUID by application name: 
      1VERACODE_API_PROFILE=prod-hhtest http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v1/applications?name={appName}"
  2. Call SBOM API with the application
    • UUID 1VERACODE_API_PROFILE=prod-hhtest http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{appUUID}/cyclonedx?type=application"

Security teams and developers alike can leverage SBOMs to confirm that the software they're using, purchasing, or building is free from known vulnerabilities and components with unacceptable licenses. One thing to keep in mind – an SBOM is an export that lists components an application is made up of. Think of this as more of a ‘point in time’ exported list of components (that you cannot generate without an SCA type tool in place). SBOM does not necessarily inform you directly if vulnerabilities exist in the components.  You'll typically need to use a tool like Veracode SCA or take the time to check each component manually.  

Veracode SCA not only identifies these components, but is able to determine direct and indirect dependencies, offer remediation guidance, and actively manage license risk. To try out Veracode SCA first-hand, schedule a demo with our team.

Related Posts

By Saoirse Hinksmon