Creating a Software Bill of Materials (SBOM)

Currently, JSON formatted SBOMs are available for all users while SPDX-formatted SBOMs are restricted to Enterprise-tier users. For more information on account tiers check here

A Software Bill of Materials (SBOM) is a comprehensive list of the component parts required to build your project. This can include any open source libraries, plugins, extensions, and system packages. Immutable SBOMS are available in SPDX in both JSON and TAG formats and can be created for any project or any commit in a project. All SPDX SBOMs follow the SPDX2.2 specifications.

You can use the information in your SBOM as part of an effective strategy to mitigate software vulnerabilities, assure your runtime is secure and up to date, and in compliance with provided specifications and/or governmental standards. For more information about SBOMs and why they are important to your project see our datasheet on Open Source Security With A Bill of Materials.

An SBOM for your ActiveState project will record what is in your runtime, where it came from, and all the information you need to maintain a secure and safe development environment.

SBOMs are machine-readable and will contain the following information at a project level:

  • SPDX Version number for the document
  • Data license
  • SPDXID for the project to refer to itself in relation to other elements
  • Project name (seen as “DocumentName”)
  • A download location for the project
  • The name of the organization that created the SBOM
  • Date and time of the SBOM data assembly

And the following information at the package or component level:

  • Package name
  • Specific SPDXID used to reference throughout the document. Scrolling to the end of the document will show package relationships using the SPDXID for reference
  • Package version
  • Package download location
  • SHA-256 checksum
  • Package license or copyright information (if the information is found but cannot be verified, NOASSERTION will be shown)

Generate an SBOM from platform.activestate.com

To download an SBOM, do the following:

  1. Navigate to the History tab of the project you want an SBOM from.
  2. Click the Create SBOM button to download your SBOM in SPDX JSON format.

If you do not see a link to generate an SBOM your language version may be too old for us to generate an SBOM.

Generate an SBOM (SPDX) with the API/GraphQL

Before you can generate an SBOM on a private project you must authenticate using a JWT. Please follow the steps here to get started.

To generate an SBOM from the State Tool, do the following:

  1. Open a GraphQL query
  2. Use the query below and replace the information in the “quotes” with your project’s information.
    1. The organization and project are case sensitive
    2. If you choose to not include a commit ID, delete commit_id:“<commit ID (optional)>” from the query
    3. If you don’t want the spdx URL, then just remove its line and keep the json line.

Clicking the triangular “play” button in the GraphQL UI will execute the command and return your SBOM in an SPDX format.

The example below will return an SBOM in both SPDX JSON and TAG formats. To only return the JSON, delete the spdx(version: “0.1”). To only return TAG, delete json(version:”0.1”).

query {
  project(organization: "ActiveState-Projects", project: "ActiveState-Python-3.10.11") {
    ... on Project {
		commit(vcsRef:"8ac973e3-64eb-4f01-9fb2-dc0aa3dc6253") {
        ... on Commit {
         attestations {
           ... on CommitAttestations {
             spdx(version: "0.1")
            json(version:"0.1")
           }
         }
        }
      }
    }
  ... on NotFound {
    message
  }
  ... on Error {
     message
  }
  }
}

To finish, you have to curl:

curl -i -X GET  "<paste attestation url>" -H "Authorization: Bearer <paste jwt>"

Working Public Example

To view a public working example, please click here. To view the SBOM, click the “play” button and then open the link that is generated.