Export SBOMs and VEX

Learn more about software transparency and the role of SBOMs in your organization.

To export an SBOM you must first perform a successful endorctl scan. If you haven’t successfully scanned a project see quick start for more information.

Export an SBOM through the Endor Labs user interface

To export an SBOM for a package version in the Endor Labs user interface:

  1. Navigate to My Packages and search for the package name in the Search filter.
  2. Select the version to create an SBOM
  3. Click Export SBOM in the top right-hand corner.
  4. Select the container format.
  5. Select the output format and type of SBOM you would like to generate and click Export SBOM. A file containing the SBOM will download from your browser.
  6. Click Export VEX to generate a Vulnerability Exchange (VEX) file for the package version.

Export an SBOM through the API using endorctl

To export an SBOM you will need the package version name for which you’d like to create an SBOM or its UUID.

Pass the package name or UUID to the command endorctl sbom export using the --package-version-name or --uuid flags.

To get the package version name through the API and export an SBOM you must first find the package version name through the API.

You can easily export a reference package name and the scanned version you’d like to export as environment variables.

export PACKAGE_NAME=<insert_package_name>
export VERSION=<insert_package_version>

Then query the API for the package version name and set this as an environment variable:

export PACKAGE_VERSION_NAME=$(endorctl api list -r PackageVersion --filter "meta.name matches $PACKAGE_NAME AND meta.name matches $VERSION" --field-mask=meta.name | jq -r ".list.objects[].meta.name")

Use this name to export an SBOM using endorctl.

endorctl sbom export --package-version-name=$PACKAGE_VERSION_NAME >> cyclonedx.json

To export the SBOM as a library rather than an application use the flag --component-type=library:

endorctl sbom export --component-type=library --package-version-name=$PACKAGE_VERSION_NAME >> cyclonedx.json

To export the SBOM in XML format rather than json use the --output-format flag with the XML parameter:

endorctl sbom export --output-format=xml --package-version-name=$PACKAGE_VERSION_NAME >> cyclonedx.xml

To export a VEX document use the flag --with-vex

endorctl sbom export --with-vex