Skip to content

Scan SBOM format

This document describes the output Software Bill-of-Materials (SBOM) xml format emitted by scan tool for integration purposes.

SBOM specification

Software Bill-of-Materials SBOM is automatically produced by scan as a pre-requisite for performing dependency scanning (depscan). This file is an xml file compatible with CycloneDX 1.1 specification with a bom prefix. Some example bom files can be found here


SBOM file will not be generated if scan is invoked with a specific type argument. Eg: --type java.
In such cases, manually pass either depscan, or bom as a type. Eg: --type java,bom

CycloneDX Properties

Global declarations

<?xml version="1.0" encoding="utf-8"?>
<bom xmlns="" serialNumber="urn:uuid:a4b5715e-8489-4855-8a3c-bafe5ddf7daa" version="1">
  • xmlns: Set to
  • serialNumber: Random UUID to uniquely represent the BOM file
  • version: Set to 1 always


Scan stores certain metadata such as Base path and Package file in a global externalReferences tag. This should not be confused with externalReferences that are specific for each component.

    <reference type="other">
      <comment>Base path</comment>
    <reference type="other">
      <comment>Package file</comment>


Following externalReferences, all identified project dependencies would be expressed as component inside a components tag.

    <component type="library" bom-ref="pkg:golang/">
        <hash alg="SHA-256">1d276994c8d9292981a80c60e6f3e3d939910e67e4cf0f9c4f300495696385c5</hash>
  • type: Mostly library. Other possible values are application, framework, library, operating-system, device, or file.
  • bom-ref: Unique string to represent this component reference
  • group: Group or domain name of the publisher. Special characters are allowed
  • name: Name of the component in the shortened form
  • version: Component version
  • Description: Optional description about the package
  • Hash: Hash of the packages as provided by the registry. Note: currently hash values are not reliable due to the non-reproducible nature of many open-source dependencies
  • Licenses: List of license specified for the component. One or more of the below properties will be available:
    • id: SPDX license id for accurate matches. This would be unavailable in cases where the license name or url cannot be matched accurately
    • name: License name
    • url: URL to the original license file.


In some cases, only the URL property would be available. This could well mean that the package is licensed under some terms that is not compatible with the OSI recommended license clauses.
This might also happen with packages where typos or unexpected paragraph breaks are used in the license file.

  • purl: Package URL string as specified here

Component - External references

Component could have external references such as website or issue-tracker or vcs

        <reference type="website">
        <reference type="issue-tracker">
        <reference type="vcs">

Last update: May 29, 2020