Generating SBOMs for a Source Repository using the API

Use the Anchore API to import a source repository artifact from a software bill of materials (SBOM) file on disk. You can also get information about the source repository, investigate vulnerability packages by requesting vulnerabilities for a single analyzed source repository, or get any policy evaluations.

For more information about using Anchore APIs via Swagger, see: Using the Anchore API.

The SBOM management API workflow would generally be as follows.

Note: Reference the API endpoints in Swagger for the latest information.

  1. Once you have generated a SBOM using anchorectl, you can use the API to import that SBOM as a source artifact. For example, to create the import “operation” (job) for importing a source.
curl -u admin:foobar -X 'POST' 'http://localhost:8228/v2/imports/sources'

{
    "created_at": "2023-10-27T16:26:33Z",
    "expires_at": "2023-10-28T16:26:33Z",
    "last_updated": "2023-10-27T16:26:33Z",
    "status": "pending",
    "uuid": "b78cda3b-eff7-4e2e-a1ed-e3f8433435cf"
}
  1. Add the SBOM to the import operation. For example:
curl -u admin:foobar -X POST http://localhost:8228/v2/imports/sources/767c77fe-8f93-4e7e-a9ff-f0f39e2a80ba/sbom -d @/absolute/path/to/your/sbom.json -H "Content-Type: application/json"

{
    "created_at": "2022-02-28T20:36:32Z", 
    "digest": "6778145cdda7a3443abc9650683c6d5bf8a87e3e6b4b3c8868224e7755680446"
}
  1. Finalize the import. For example:
curl -X 'POST' 'http://localhost:8228/v2/imports/sources/767c77fe-8f93-4e7e-a9ff-f0f39e2a80ba/finalize'
  -H 'accept: application/json'
  -H 'Content-Type: application/json’
  -d '{
  "branch_name": "main",
  "change_author": "[email protected]",
  "ci_workflow_execution_time": "2022-02-28T20:38:13.117Z",
  "ci_workflow_name": "default",
  "contents": {
    "sbom": "6778145cdda7a3443abc9650683c6d5bf8a87e3e6b4b3c8868224e7755680446"
  },
  "host": "http://github.com",
  "repository_name": "anchore-engine",
  "revision": "8f7e4afb9bc9a284e24b69e529863a0b99373bf7"
}'

{
  "account_name": "admin",
  "analysis_status": "not_analyzed",
  "created_at": "2022-02-28T20:43:58Z",
  "host": "http://github.com",
  "last_updated": "2022-02-28T20:43:58Z",
  "metadata_records": [
    {
      "branch_name": "main",
      "change_author": "[email protected]",
      "ci_workflow_execution_time": "2022-02-28T20:38:13Z",
      "ci_workflow_name": "default",
      "uuid": "8b97a668-2044-4f24-a5af-6010e7957ac3"
    }
  ],
  "repository_name": "anchore-engine",
  "revision": "8f7e4afb9bc9a284e24b69e529863a0b99373bf7",
  "source_status": "active",
  "uuid": "a0eb87e2-61ef-4721-bb16-9682ad528bbe",
  "vcs_type": "git"
}
  1. List all sources that you’ve imported. For example:
curl -u admin:foobar -X 'GET' 'http://localhost:8228/v2/sources'
{
    "items" : [
      {
        "account_name": "admin",
        "analysis_status": "analyzed",
        "created_at": "2022-02-28T20:43:58Z",
        "host": "http://github.com",
        "last_updated": "2022-02-28T20:43:58Z",
        "repository_name": "anchore-engine",
        "revision": "8f7e4afb9bc9a284e24b69e529863a0b99373bf7",
        "source_status": "active",
        "uuid": "a0eb87e2-61ef-4721-bb16-9682ad528bbe"
      },
      …
    ]
}
  1. Get information about a single source that you’ve imported. For example:
curl -u admin:foobar -X 'GET' 'http://localhost:8228/v2/sources/a0eb87e2-61ef-4721-bb16-9682ad528bbe'

{
  "account_name": "admin",
  "analysis_status": "analyzed",
  "created_at": "2022-02-28T20:43:58Z",
  "host": "http://github.com",
  "last_updated": "2022-02-28T20:43:58Z",
  "metadata_records": [
    {
      "branch_name": "main",
      "change_author": "[email protected]",
      "ci_workflow_execution_time": "2022-02-28T20:38:13Z",
      "ci_workflow_name": "default",
      "uuid": "8b97a668-2044-4f24-a5af-6010e7957ac3"
    }
  ],
  "repository_name": "anchore-engine",
  "revision": "8f7e4afb9bc9a284e24b69e529863a0b99373bf7",
  "source_status": "active",
  "uuid": "a0eb87e2-61ef-4721-bb16-9682ad528bbe",
  "vcs_type": "git"
}
  1. Fetch a gzip compressed copy of the sbom for a specific type. For example:
curl -X 'GET' -u admin:foobar 'http://localhost:8228/v2/sources/a0eb87e2-61ef-4721-bb16-9682ad528bbe/sbom/native-json'
curl -X 'GET' -u admin:foobar 'http://localhost:8228/v2/sources/a0eb87e2-61ef-4721-bb16-9682ad528bbe/sbom/cyclonedx-json'
curl -X 'GET' -u admin:foobar 'http://localhost:8228/v2/sources/a0eb87e2-61ef-4721-bb16-9682ad528bbe/sbom/spdx-json'
  1. Get the types of vulnerabilities that you may fetch with respect to a source. For example:
curl -X 'GET'  -u admin:foobar 'http://localhost:8228/v2/sources/a0eb87e2-61ef-4721-bb16-9682ad528bbe/vuln'


[
  "os",
  "non-os",
  "all"
]
  1. Get the vulnerabilities for a source. For example:
curl -X 'GET' -u admin:foobar 'http://localhost:8228/v2/sources/a0eb87e2-61ef-4721-bb16-9682ad528bbe/vuln/all'

{
  "source_id": "a0eb87e2-61ef-4721-bb16-9682ad528bbe",
  "vulnerabilities": [
    {
        "feed": "vulnerabilities",
        "feed_group": "nvd",
        "fix": "None",
        "nvd_data": [
            {
            "cvss_v2": {
                "base_score": 5,
                "exploitability_score": 10,
                "impact_score": 2.9
            },
            "cvss_v3": {
                "base_score": 7.5,
                "exploitability_score": 3.9,
                "impact_score": 3.6
            },
            "id": "CVE-2019-13509"
            }
        ],
        "package": "docker-4.3.1",
        "package_cpe": "None",
        "package_cpe23": "cpe:2.3:a:docker:docker:4.3.1:*:*:*:*:*:*:*",
        "package_name": "docker",
        "package_path": "/Users/vijay/Documents/enterprise/requirements-test.txt",
        "package_type": "python",
        "package_version": "4.3.1",
        "severity": "High",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13509",
        "vendor_data": [],
        "vuln": "CVE-2019-13509",
        "will_not_fix": false
        },
    …
  ],
  "vulnerability_type": "all"
}
  1. Get the policy evaluation for a source. For example:
curl -X 'GET' -u admin:foobar 'http://localhost:8228/v2/sources/a0eb87e2-61ef-4721-bb16-9682ad528bbe/check'

[
  {
    "account_name": "admin",
    "created_at": "2022-02-28T21:11:37Z",
    "evaluation_id": "7a4611f2fa26d80bd680782eb379081f",
    "evaluation_url": "policy_evaluations/7a4611f2fa26d80bd680782eb379081f",
    "final_action": "fail",
    "final_action_reason": "policy_evaluation",
    "findings": [
        {
            "action": "warn",
            "allowlist_match": null,
            "allowlisted": false,
            "gate": "vulnerabilities",
            "message": "MEDIUM Vulnerability found in non-os package type (gem) - /syft/pkg/cataloger/ruby/test-fixtures/Gemfile.lock (fixed in: 4.1.11)(GHSA-vxvp-4xwc-jpp6 - https://github.com/advisories/GHSA-vxvp-4xwc-jpp6)",
            "policy_id": "f2dbc082-7d10-432a-9f62-02ea8f1e5dbf",
            "recommendation": "",
            "rule_id": "24c7ec4f-d795-4ee3-93e7-4d603560ddb3",
            "trigger": "package",
            "trigger_id": "GHSA-vxvp-4xwc-jpp6+Gemfile.lock"
        },
        ...
    ]
    "host": "http://github.com",
    "matched_mapping_rule": {
        "host": "*",
        "id": "9a899100-6e4c-4038-93ba-12f6d8ab97b3",
        "name": "default-source-mapping",
        "policy_id": "f2dbc082-7d10-432a-9f62-02ea8f1e5dbf",
        "repository": "*",
        "allowlist_ids": [
          "37fd763e-1765-11e8-add4-3b16c029ac5c"
        ]
    },
    "number_of_findings": 149,
    "last_updated": "2022-02-28T21:11:37Z",
    "policy_id": "2c53a13c-1765-11e8-82ef-23527761d060",
    "policy": {
        "allowlisted_images": [],
        "allowlists": [
            {
                "description": "Default global allowlist",
                "id": "37fd763e-1765-11e8-add4-3b16c029ac5c",
                "items": [],
                "name": "Global Allowlist",
                "version": "2"
            }
        ],
        "denylisted_images": [],
        "description": "Default bundle",
        "id": "2c53a13c-1765-11e8-82ef-23527761d060",
        ...
    },
    "repository_name": "anchore-engine",
    "revision": "8f7e4afb9bc9a284e24b69e529863a0b99373bf7",
    "source_id": "a0eb87e2-61ef-4721-bb16-9682ad528bbe",
     "source_mapped_to_rule": true,
     "status": "fail"
  }
]
  1. Delete any individual source repository SBOM artifact from Anchore Enterprise. For example:
curl -X 'DELETE' -u admin:foobar  'http://localhost:8228/v2/sources/a0eb87e2-61ef-4721-bb16-9682ad528bbe'
Last modified June 30, 2023