Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Synchronizing CLI help from user-docs #4544

Merged
merged 1 commit into from
Apr 12, 2023
Merged

Synchronizing CLI help from user-docs #4544

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 49 additions & 17 deletions help/cli-commands/sbom.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,24 @@
# SBOM

## Usage
## Prerequisites

**Feature availability:** This feature is available to customers on Snyk Enterprise plans.

**Note:** In order to run the SBOM generation feature, you must use a minimum of CLI version 1.1071.0.

`$ snyk sbom --format=<cyclonedx1.4+json|cyclonedx1.4+xml>|spdx2.3+json [--file=<file>] [--unmanaged] [--org=<ORG_ID>] [<TARGET_DIRECTORY>]`
The `snyk sbom` feature requires an internet connection.

## Usage

`$ snyk sbom --format=<cyclonedx1.4+json|cyclonedx1.4+xml>|spdx2.3+json> [--file=<file>] [--unmanaged] [--org=<ORG_ID>] [<TARGET_DIRECTORY>]`

## Description

The `snyk sbom` command enables you to produce an SBOM for a local software project in an ecosystem supported by Snyk.
The `snyk sbom` command generates an SBOM for a local software project in an ecosystem supported by Snyk.

Supported formats include CycloneDX v1.4 (JSON or XML) and SPDX v2.3 (JSON).

An SBOM can be generated for all supported Open Source package managers as well as unmanaged software projects.

## Exit codes

Expand All @@ -27,34 +35,40 @@ Use the `-d` option to output the debug logs.

### `--format=<cyclonedx1.4+json|cyclonedx1.4+xml|spdx2.3+json>`

Specify the output format for the SBOM to be produced.
Required. Specify the output format for the SBOM to be produced.

The supported formats are CycloneDX 1.4 JSON or XML and SPDX 2.3 JSON.
Set the desired SBOM output format. Available options are `cyclonedx1.4+json`, `cyclonedx1.4+xml`, and `spdx2.3+json`

### `[--file=<file>]`
### `[--org=<ORG_ID>]`

Optional. Select the package manager manifest file to use as the basis for the SBOM to be produced.
Specify the `<ORG_ID>` (name or UUID) to run Snyk commands tied to a specific organization. The `<ORG_ID>` influences some features availability and private test limits.

### `[--unmanaged]`
Use this option when your default organization does not have API entitlement.

Optional. Instruct the CLI to build an SBOM based on the unmanaged C/C++ source libraries that are locally available.
If this option is omitted, the default organization for your account will be used.

### `[--org=<ORG_ID>]`
This is the `<ORG_ID>` that is the current preferred organization in your [Account settings](https://app.snyk.io/account)&#x20;

Optional. Specify the `<ORG_ID>` to run Snyk commands tied to a specific organization. The `<ORG_ID>` influences some features availability and private test limits.
Set a default to ensure all newly tested projects are tested under your default organization. If you need to override the default, use the `--org=<ORG_ID>` option.

If you have multiple organizations, you can set a default from the CLI using:

`$ snyk config set org=<ORG_ID>`

Set a default to ensure all newly tested projects are tested under your default organization. If you need to override the default, use the `--org=<ORG_ID>` option.

Default: `<ORG_ID>` that is the current preferred organization in your [Account settings](https://app.snyk.io/account)

**Note:** You can also use `--org=<orgslugname>.` The `ORG_ID` works in both the CLI and the API. The organization slug name works in the CLI, but not in the API.

For more information see the article [How to select the organization to use in the CLI](https://support.snyk.io/hc/en-us/articles/360000920738-How-to-select-the-organization-to-use-in-the-CLI)

### `[--file=<file>] or [--f=<file>]`

Specify the desired manifest file on which the SBOM will be based.&#x20;

By default, the `sbom` command detects a supported manifest file in the current working directory.

### `[--unmanaged]`

Generate an SBOM for unmanaged software projects.

### `[<TARGET_DIRECTORY>]`

Optional. Instruct the CLI to autodetect a package manager manifest file to use within the specified directory. If `--file` is set, this option will be ignored.
Expand All @@ -63,10 +77,28 @@ Optional. Instruct the CLI to autodetect a package manager manifest file to use

## Examples for the snyk sbom command

Generate an SBOM and display it in the local console.
### Create a CycloneDX JSON document for a local software project

`$ snyk sbom --format=cyclonedx1.4+json`

Generate an SBOM and write it to a local file.
### Create a CycloneDX JSON document and write it to a local file

`$ snyk sbom --format=cyclonedx1.4+json > mySBOM.json`

### Create an SPDX 2.3 JSON document for an unmanaged software project

```bash
$ snyk sbom --unmanaged --format=spdx2.3+json
```

### Create a CycloneDX XML document for a Maven project

```
$ snyk sbom --file=pom.xml --format=cyclonedx1.4+xml
```

### **Create a CycloneDX JSON document and scan using bomber and Snyk**

<pre class="language-bash"><code class="lang-bash"><strong>$ snyk sbom --format=cyclonedx1.4+json --file=go.mod > /tmp/sbom.cdx.json &#x26;&#x26; \
</strong><strong> bomber scan --provider snyk --token $SNYK_API_TOKEN /tmp/sbom.cdx.json
</strong></code></pre>