Skip to main content

Overview

ZeroPath’s SBOM service generates export-ready CycloneDX, SPDX, and VEX documents directly from the SCA inventory your scans already produced. Because SBOMs reuse the same normalized dependency graph that powers alerting, every artifact matches what developers see in the UI — no third-party scanners, no drift.
1

Request

Accepts a request tied to either a completed SCA scan or a specific code scan snapshot.
2

Process

The job is queued and processed, ensuring no duplicate generation.
3

Build

The SBOM is built from the chosen data source (preferably the SCA inventory).
4

Upload

Uploads the JSON artifact to managed object storage and returns a pre-signed download URL.
5

Track

Tracks status, attempt count, and expiration so you can poll or receive webhook updates.

Request Flow

1

Submit

Choose the scan, desired format (CycloneDX or SPDX), and whether to include VEX data. Jobs can be created through the UI or API.
2

Process

ZeroPath processes the job, hydrates the dependency inventory, and generates the artifact. Automatic retries handle any interruptions.
3

Store

Finished SBOMs are uploaded to ZeroPath’s artifact bucket with a time-limited retention policy (24 hours by default, configurable per tenant).
4

Retrieve

The API returns a signed URL; optional webhooks fire when the job transitions to Succeeded or Failed.

Formats & VEX Support

Best for tooling that expects component graphs, dependency relationships, and VEX attachments. When VEX is requested we include vulnerability status (affected, not_affected, fixed) plus severity and remediation guidance.

Data Sources

  • Uses the canonical inventory built by the ZeroPath SCA service, so it includes direct/transitive classification, license data, application ownership, and previously validated vulnerability context.
  • SBOMs generated from inventory are deterministic — package IDs, ordering, and dependency edges match the UI and alerting systems exactly.
  • VEX data is available because the inventory knows which packages are affected, fixed, or not applicable.

Artifact Contents

Every JSON export includes:
  • Repository metadata (name, branch, commit SHA, scan timestamp).
  • One entry per manifest path (package-lock.json, requirements.txt, go.mod, pom.xml, Podfile, etc.).
  • Normalized ecosystems and Package URLs (PURL) for each dependency.
  • Direct vs transitive annotations plus a summary of the dependency path so teams know how a package entered the build.
  • License information per package, sourced from manifest fields and/or deps.dev.
  • Dependency relationships (CycloneDX dependencies, SPDX relationships).
  • Optional VEX blocks showing current status, ZeroPath vulnerability IDs, severity, and remediation hints.

Storage & Access

  • SBOMs are stored in ZeroPath-managed object storage with an automatic expiration policy (24 hours by default; can be extended for enterprise tenants).
  • Download links are pre-signed URLs that carry the same expiration. Pull the artifact into your own storage if you need longer retention.
  • Every job records organization, repository, requester, format, and expiration so you always know who generated which SBOM.

Adoption Guide

1

Run at Least One SCA Scan

This unlocks inventory-backed SBOMs and VEX exports. Schedules keep inventories fresh without manual effort.
2

Submit SBOM Requests per Release

Kick off a job whenever you cut a release branch, tag, or artifact that needs provenance.
3

Choose the Right Format

Use CycloneDX + VEX for engineering/security workflows, SPDX for procurement/legal stakeholders, or both.
4

Integrate Delivery

Plug pre-signed URLs into CI/CD approvals, artifact registries, or audit tickets so reviewers can fetch the document automatically.
5

Mirror Long-Lived Artifacts

If policy requires multi-year retention, copy the SBOM into your own storage before the link expires.

Troubleshooting Tips

Rerun the job with a completed SCA scan selected or disable VEX for snapshot-based exports.
Usually caused by missing SCM credentials or a deleted branch/tag. Re-run after fixing access or target a different commit.
Verify the latest SCA scan finished successfully and that manifests were included (shown in the SCA tab). SBOMs mirror whatever the scan captured.
Ensure SBOM workers are running for your workspace. Pending jobs will retry automatically, but contact support if they exceed the normal few-minute window.

Comparing Results with Other SBOM Tools

When comparing ZeroPath SBOMs against tools like Syft, Trivy, or Grype, you may notice differences in package counts.

Why Package Counts Differ

FactorZeroPathOther Tools (e.g., Syft)
Dev dependenciesExcluded by defaultOften included
Data sourceLockfiles and manifestsMay also scan node_modules directory, binaries, or container layers
Optional/peer dependenciesIncluded only when resolved in lockfileMay include unresolved optional deps
Workspace/monorepo packagesScoped to the target manifestMay include all workspace packages