Introducing snyk-export-sbom to export SPDX and CycloneDX SBOM from Snyk
I've written about Software Bill of Materials (SBOMs) a fair bit recently and how they can be used to get more insight into your project's dependencies
As part of starting to use Snyk at work, I've been looking at how to integrate Snyk's data alongside dependency-management-data, using the SBOM import functionality in dependency-management-data.
Snyk has had support for exporting a project's SBOM, which does most of the work π However, one thing that snyk-export-sbom does on top of the existing offering is that it gives us the ability to add licensing information to the generated SBOMs.
This is currently available on the legacy API so we can take this data and interweave it with the SBOM that Snyk produces. I've raised a feature request to get licensing data added to the new APIs, or even automagically inserted into the SBOMs Snyk produces, but until then, we've at least got this functionality in my tool.
You can find the project on GitLab.com, which can be installed with:
go install gitlab.com/tanna.dev/snyk-sbom-export@latest
Then you can run it like so:
env SNYK_API_TOKEN=... snyk-sbom-export -orgID ... -format cyclonedx1.4+json
This will then iterate through each of the projects in your organisation, generating an SBOM and adding any licensing information it knows about your dependencies.
Something I didn't realise until after I've built it is that SBOM export is only available for Open Source projects, which is a bit disappointing π I'm considering writing export functionality myself using the legacy APIs to make it possible to get SBOMs from the data that Snyk collects on your projects.
Update: this appears to affect Docker-based SBOM exports, not other ecosystems, at least for the few I've tried.
