BinShieldDemo

Guide

SBOM Export

Generate CycloneDX 1.5 software bills of materials with binary-level detail for compliance and audit workflows.

What is CycloneDX?

CycloneDX is an OWASP-standardized format for software bills of materials (SBOMs). It provides a machine-readable inventory of every component in a software artifact — including libraries, frameworks, and compiled native binaries. BinShield produces CycloneDX 1.5 documents enriched with binary-level metadata: detected symbols, linked libraries, compiler toolchains, and risk assessments that traditional SBOM generators cannot capture.

How to Export

Request an SBOM for any analyzed package version via the /sbom endpoint:

curl -s \
  "https://binshieldapi-production.up.railway.app/packages/npm/bcrypt/versions/6.0.0/sbom" \
  | jq .

Save directly to a file for audit records:

curl -s \
  "https://binshieldapi-production.up.railway.app/packages/npm/bcrypt/versions/6.0.0/sbom" \
  -o bcrypt-6.0.0-sbom.json

The endpoint pattern is:

GET /packages/:ecosystem/:name/versions/:version/sbom

Response Format

The response is a CycloneDX 1.5 JSON document. Here is the structure of a typical response:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "metadata": {
    "timestamp": "2026-03-20T12:00:00Z",
    "tools": [
      {
        "vendor": "BinShield",
        "name": "binshield-api",
        "version": "1.0.0"
      }
    ],
    "component": {
      "type": "library",
      "name": "bcrypt",
      "version": "6.0.0",
      "purl": "pkg:npm/bcrypt@6.0.0"
    }
  },
  "components": [
    {
      "type": "library",
      "name": "bcrypt_lib.node",
      "version": "6.0.0",
      "description": "Native N-API addon — bcrypt binding",
      "properties": [
        { "name": "binshield:binary:format", "value": "ELF x86_64" },
        { "name": "binshield:binary:compiler", "value": "GCC 12.2" },
        { "name": "binshield:risk:level", "value": "low" },
        { "name": "binshield:risk:score", "value": "12" }
      ]
    },
    {
      "type": "library",
      "name": "libcrypto.so.3",
      "version": "3.0.9",
      "description": "OpenSSL cryptographic library (linked)",
      "properties": [
        { "name": "binshield:linkage", "value": "dynamic" }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/bcrypt@6.0.0",
      "dependsOn": [
        "bcrypt_lib.node",
        "libcrypto.so.3"
      ]
    }
  ]
}

Integration with Compliance Tools

CycloneDX SBOMs from BinShield are compatible with the broader compliance ecosystem. Common integrations include:

  • Dependency-Track -- Import SBOMs into OWASP Dependency-Track for continuous vulnerability monitoring and policy enforcement.
  • Grype / Trivy -- Feed SBOMs into vulnerability scanners for CVE matching against binary components.
  • SOC 2 / ISO 27001 audits -- Attach SBOMs as evidence artifacts demonstrating supply-chain visibility.
  • NTIA minimum elements -- BinShield SBOMs satisfy NTIA minimum element requirements including supplier, component name, version, dependency relationships, and timestamp.

Example: Import into Dependency-Track

# Export SBOM and upload to Dependency-Track
curl -s "https://binshieldapi-production.up.railway.app/packages/npm/bcrypt/versions/6.0.0/sbom" \
  -o bcrypt-sbom.json

curl -X POST "https://your-dtrack-instance/api/v1/bom" \
  -H "X-Api-Key: $DTRACK_API_KEY" \
  -H "Content-Type: multipart/form-data" \
  -F "project=<project-uuid>" \
  -F "bom=@bcrypt-sbom.json"