Skip to main content
To export an SBOM you must first perform a successful endorctl scan. If you haven’t successfully scanned a project see quick start for more information. Endor Labs supports export in the CycloneDX format, VEX format, and SPDX format.

Export an SBOM through the Endor Labs user interface

When you export an SBOM at the project level, it includes all the packages in the project and all the package versions. This allows you to combine the SBOMs of multiple packages and versions into a single SBOM. A consolidated SBOM for the project enables quick identification and assessment of vulnerabilities across all software components.

Export an SBOM as CycloneDX

You can export SBOM of the project in the CycloneDX format.
  1. Select Projects from the left sidebar.
  2. Select the project for which to create an SBOM.
  3. Click Export SBOM in the top right-hand corner. sbom in CycloneDX
  4. Select CycloneDX.
  5. Choose whether to export as an application or a library. If you choose to export as an application, enter an application name.
  6. Select the output format and type of SBOM you would like to generate in FILE FORMAT.
  7. Click Add More to select the packages and package versions you want to include in the SBOM. If you do not select specific packages, the SBOM will include information for all packages and package versions. Add more You can filter by ecosystem to select the type of packages to include in the SBOM. Add more ecosystem You can also search and select multiple package versions of the same package. Add more version
  8. Click Export SBOM. A file containing the SBOM will download from your browser.

Export an SBOM as SPDX

You can export SBOM of the project in the SPDX format.
  1. Select Projects from the left sidebar.
  2. Select the project for which to create an SBOM.
  3. Click Export SBOM in the top right-hand corner. sbom as SPDX
  4. Select SPDX.
  5. Enter the name of your application in Application Name.
  6. Select the output format and type of SBOM you would like to generate in File Format.
  7. Click Add More to select the packages and package versions you want to include in the SBOM. If you do not select specific packages, the SBOM will include information for all packages and package versions. Select packages You can filter by ecosystem to select the type of packages to include in the SBOM. Select packages You can also search and select multiple package versions of the same package. Select packages
  8. Click Export SBOM. A file containing the SBOM will download from your browser.

Export SBOM through endorctl

You can use the following options with the SBOM export command. You can export an SBOM in CycloneDX or SPDX format using endorctl, for a single package version or across multiple package versions.
To export an SBOM you will need the package version name for which you’d like to create an SBOM or its UUID. You can also export an SBOM with multiple package versions. To export an SBOM with multiple package versions, you need the package version UUIDs or the project name.Pass the package name or UUID to the command endorctl sbom export using the --package-version-name or --uuid flags.To export an SBOM, you must first retrieve the package version name through the API.You can easily export a reference package name and the scanned version you’d like to export as environment variables.
export PACKAGE_NAME=<insert_package_name>
export VERSION=<insert_package_version>
Then query the API for the package version name and set this as an environment variable:
export PACKAGE_VERSION_NAME=$(endorctl api list -r PackageVersion --filter "meta.name matches $PACKAGE_NAME AND meta.name matches $VERSION" --field-mask=meta.name | jq -r ".list.objects[].meta.name")
Export an SBOM in the CycloneDX format through endorctl using the package version name.
endorctl sbom export --package-version-name=$PACKAGE_VERSION_NAME >> cyclonedx.json
Export an SBOM in the SPDX format through endorctl using the package version name.
endorctl sbom export --format spdx --package-version-name=$PACKAGE_VERSION_NAME >> spdx.json
To export the CycloneDX SBOM as a library rather than an application use --component-type=library. 
endorctl sbom export --component-type=library --package-version-name=$PACKAGE_VERSION_NAME >> cyclonedx.json
To export the CycloneDX SBOM in XML format rather than json use --output-format with the XML parameter. 
endorctl sbom export --output-format=xml --package-version-name=$PACKAGE_VERSION_NAME >> cyclonedx.xml
To export a VEX document use the flag --with-vex 
endorctl sbom export --with-vex
To export the SPDX SBOM using the tag-value format instead of json, use --output-format=tag-value. 
endorctl sbom export --format spdx --output-format=tag-value --package-version-name=$PACKAGE_VERSION_NAME >> sbom-spdx.spdx
endorctl generates SBOMs in the CycloneDX format by default.

Endor Labs Export Formats

Endor Labs provides the following fields to map to the NTIA minimum elements of an SBOM standard.

CycloneDX Format

Endor Labs supports export in the CycloneDX format. The following table lists the mandatory and some optional fields in the SBOM file that Endor Labs exports.

Patch data in SBOM

CycloneDX SBOMs generated by Endor Labs include patch data for components that use an Endor patch. This allows consumers of the SBOM to see exactly which upstream version was patched, what changes were applied, and which vulnerabilities those patches resolve. The following fields describe how patch data appears in the exported SBOM. The following example shows a patched component in a CycloneDX SBOM. 
{
  "bom-ref": "mvn://com.fasterxml.jackson.core:jackson-databind@2.9.10.3-endor-2024-07-10",
  "type": "library",
  "name": "com.fasterxml.jackson.core:jackson-databind",
  "version": "2.9.10.3-endor-2024-07-10",
  "licenses": [],
  "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.3-endor-2024-07-10",
  "pedigree": {
    "ancestors": [
      {
        "bom-ref": "mvn://com.fasterxml.jackson.core:jackson-databind@2.9.10.3",
        "type": "library",
        "name": "com.fasterxml.jackson.core:jackson-databind",
        "version": "2.9.10.3",
        "licenses": [],
        "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.3",
        "externalReferences": [
          {
            "url": "https://github.com/fasterxml/jackson-databind.git",
            "type": "vcs"
          }
        ]
      }
    ],
    "patches": [
      {
        "diff": {
          "text": {
            "content": "<base64-encoded patch content>",
            "contentType": "text/plain",
            "encoding": "base64"
          }
        },
        "resolves": [
          {
            "id": "",
            "name": "GHSA-q93h-jc49-78gg",
            "description": "",
            "type": "security"
          },
          {
            "id": "",
            "name": "GHSA-p43x-xfjf-5jhr",
            "description": "",
            "type": "security"
          }
        ]
      }
    ]
  }
}

VEX Format

The following table lists the mandatory and some optional fields in the VEX file that Endor Labs exports.

SPDX Format

The following table lists the mandatory and some optional fields in the SPDX file that Endor Labs exports.