Currently JSON formatted SBOMs are available for all accounts and SPDX formatted SBOMs are restricted to Enterprise-tier account holders. For more information on account tiers check here
A Software Bill of Materials (SBOM) is a comprehensive list of the component parts required to build your project. This can include any open source libraries, plugins, extensions, and system packages. You can create an immutable SBOM for any project or any commit in a project.
An SBOM for your ActiveState project will record what is in your runtime, where it came from, and all the information you need to maintain a secure and safe development environment.
SBOMs at ActiveState follow the SPDX2.2 specification and are available in JSON and SPDX formats.
To generate a JSON format of your SBOM open a GraphQL query and replace the information in the angled brackets with your project’s information:
{
sbom(org:"<org name>"
, name:"<project name>",
commit_id:"<commit ID (optional)>")
{
__typename
...on SBOM {
author
timestamp
spdxUri
components{
name
version
supplier
checksum
license
relationship
}
}
}
}
Be sure to include the spdxUri variable in your query, as that will return the needed URL for your SPDX format (outlined below).
Clicking the triangular “play” button in the GraphQL UI will execute the command and return your SBOM in a JSON format.
To convert your SBOM from a JSON to SPDX format, you will need to generate a new JSON Web Token (JWT).
Using the State tool, run state export jwt to generate a new JWT. You can also generate a new JWT directly from the ActiveState API.
Using Powershell enter the following command, replacing the information in the angled brackets with the information from your project:
(Invoke-WebRequest -URI https://platform.activestate.com/sv/mediator/download/spdx/<orgname>/<projectname>/<commitID> -HEADERS @{"Authorization" = "Bearer <state export jwt>"}).CONTENT
Run the following curl command, replacing the information in the angled brackets with the information from your project:
curl https://dl.activestate.com/spdx/<orgname>/<projectname>/<commitID> -H "Authorization: Bearer $<state export jwt>"
This command will return an SPDX version of your SBOM that is machine-readable and will contain the following information at a project level:
And the following information at the package or component level:
NOASSERTION will be shown)SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: APEE-534-Microsoft-Rlc-NoPMC-Athnticode
DocumentNamespace: https://platform.activestate.com/download/spdx/ActiveStateBE/APEE-534-Microsoft-Rlc-NoPMC-Athnticode/e73ad540-0072-4d50-845a-03844c0a74fe
Creator: Organization: ActiveState
Created: 2022-06-02T22:31:01Z
PackageName: perl
SPDXID: SPDXRef-perl
PackageVersion: 5.34.0
PackageDownloadLocation: https://dl.activestate.com/source/ed4b2154-eaee-5fba-88bb-d1eca86b1206/versions/0fbbfdd6-68e5-5f06-86ce-b03395e79c54/revisions/5/perl-5.34.0.tar.gz
FilesAnalyzed: false
PackageChecksum: SHA256: 551efc818b968b05216024fb0b727ef2ad4c100f8cb6b43fab615fa78ae5be9a
PackageLicenseConcluded: GPL-1.0-or-later
PackageLicenseConcluded: Artistic-1.0-Perl
PackageLicenseDeclared: NOASSERTION
PackageLicenseInfoFromFiles: GPL-1.0-or-later
PackageLicenseInfoFromFiles: Artistic-1.0-Perl
PackageCopyrightText: NOASSERTION
You can use the information in your SBOM as part of an effective strategy to mitigate software vulnerabilities, assure your runtime is secure and up to date, and in compliance with provided specifications and/or governmental standards. For more information about SBOMs and why they are important to your project see our datasheet on Open Source Security With A Bill of Materials