Skip to main content

Review SBOM with Veracode Container Security

After you run the sbom command, Veracode Container Security generates a software bill of materials (SBOM) that appears in your command window or outputs the SBOM to a file.

To configure the output format of the SBOM, such as CycloneDX, SPDX, or a table, include the --format flag.

Example result

The following example output is for a SBOM in SPDX format.

./veracode sbom --source alpine:latest --type image -f spdx-tag-value

SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: alpine-latest
DocumentNamespace: https://anchore.com/syft/image/alpine-latest-ef098fd6-aba5-4f46-9cee-558a006863a5
LicenseListVersion: 3.18
Creator: Organization: Anchore, Inc
Creator: Tool: syft-
Created: 2023-01-23T15:30:21Z

##### Package: alpine-baselayout

PackageName: alpine-baselayout
SPDXID: SPDXRef-Package-apk-alpine-baselayout-94d36b572eb8f477
PackageVersion: 3.4.0-r0
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/alpine-baselayout@3.4.0-r0?arch=aarch64&upstream=alpine-baselayout&distro=alpine-3.17.0

##### Package: alpine-baselayout-data

PackageName: alpine-baselayout-data
SPDXID: SPDXRef-Package-apk-alpine-baselayout-data-1b70ec812056fde9
PackageVersion: 3.4.0-r0
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/alpine-baselayout-data@3.4.0-r0?arch=aarch64&upstream=alpine-baselayout&distro=alpine-3.17.0

##### Package: alpine-keys

PackageName: alpine-keys
SPDXID: SPDXRef-Package-apk-alpine-keys-778781ef3ad77897
PackageVersion: 2.4-r1
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: MIT
PackageLicenseDeclared: MIT
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/alpine-keys@2.4-r1?arch=aarch64&upstream=alpine-keys&distro=alpine-3.17.0

##### Package: apk-tools

PackageName: apk-tools
SPDXID: SPDXRef-Package-apk-apk-tools-799f921f399cb53
PackageVersion: 2.12.10-r1
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/apk-tools@2.12.10-r1?arch=aarch64&upstream=apk-tools&distro=alpine-3.17.0

##### Package: busybox

PackageName: busybox
SPDXID: SPDXRef-Package-apk-busybox-8aaa05def2ad8160
PackageVersion: 1.35.0-r29
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox:busybox:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/busybox@1.35.0-r29?arch=aarch64&upstream=busybox&distro=alpine-3.17.0

##### Package: busybox-binsh

PackageName: busybox-binsh
SPDXID: SPDXRef-Package-apk-busybox-binsh-c0889e6fddb07d91
PackageVersion: 1.35.0-r29
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox-binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox-binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox_binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox_binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/busybox-binsh@1.35.0-r29?arch=aarch64&upstream=busybox&distro=alpine-3.17.0

##### Package: ca-certificates-bundle

PackageName: ca-certificates-bundle
SPDXID: SPDXRef-Package-apk-ca-certificates-bundle-1044ad92991da123
PackageVersion: 20220614-r2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: MPL-2.0 AND MIT
PackageLicenseDeclared: MPL-2.0 AND MIT
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca:ca-certificates-bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ca:ca_certificates_bundle:20220614-r2:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/ca-certificates-bundle@20220614-r2?arch=aarch64&upstream=ca-certificates&distro=alpine-3.17.0

##### Package: libc-utils

PackageName: libc-utils
SPDXID: SPDXRef-Package-apk-libc-utils-9580703a7dc03ab6
PackageVersion: 0.7.2-r3
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-2-Clause AND BSD-3-Clause
PackageLicenseDeclared: BSD-2-Clause AND BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/libc-utils@0.7.2-r3?arch=aarch64&upstream=libc-dev&distro=alpine-3.17.0

##### Package: libcrypto3

PackageName: libcrypto3
SPDXID: SPDXRef-Package-apk-libcrypto3-3a34ccc100422e09
PackageVersion: 3.0.7-r0
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: Apache-2.0
PackageLicenseDeclared: Apache-2.0
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libcrypto3:libcrypto3:3.0.7-r0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/libcrypto3@3.0.7-r0?arch=aarch64&upstream=openssl&distro=alpine-3.17.0

##### Package: libssl3

PackageName: libssl3
SPDXID: SPDXRef-Package-apk-libssl3-340d5e1521cb7cae
PackageVersion: 3.0.7-r0
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: Apache-2.0
PackageLicenseDeclared: Apache-2.0
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libssl3:libssl3:3.0.7-r0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/libssl3@3.0.7-r0?arch=aarch64&upstream=openssl&distro=alpine-3.17.0

##### Package: musl

PackageName: musl
SPDXID: SPDXRef-Package-apk-musl-ada262e3849a9047
PackageVersion: 1.2.3-r4
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: MIT
PackageLicenseDeclared: MIT
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/musl@1.2.3-r4?arch=aarch64&upstream=musl&distro=alpine-3.17.0

##### Package: musl-utils

PackageName: musl-utils
SPDXID: SPDXRef-Package-apk-musl-utils-7cf875936f1dba2d
PackageVersion: 1.2.3-r4
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: MIT AND BSD-2-Clause AND GPL-2.0-or-later
PackageLicenseDeclared: MIT AND BSD-2-Clause AND GPL-2.0-or-later
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/musl-utils@1.2.3-r4?arch=aarch64&upstream=musl&distro=alpine-3.17.0

##### Package: scanelf

PackageName: scanelf
SPDXID: SPDXRef-Package-apk-scanelf-48e301315cbf16cf
PackageVersion: 1.3.5-r1
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/scanelf@1.3.5-r1?arch=aarch64&upstream=pax-utils&distro=alpine-3.17.0

##### Package: ssl_client

PackageName: ssl_client
SPDXID: SPDXRef-Package-apk-ssl-client-297a516ba5d8e32d
PackageVersion: 1.35.0-r29
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ssl-client:ssl-client:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ssl-client:ssl_client:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ssl_client:ssl-client:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ssl_client:ssl_client:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ssl:ssl-client:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:ssl:ssl_client:1.35.0-r29:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/ssl_client@1.35.0-r29?arch=aarch64&upstream=busybox&distro=alpine-3.17.0

##### Package: zlib

PackageName: zlib
SPDXID: SPDXRef-Package-apk-zlib-1625b2938bc472bc
PackageVersion: 1.2.13-r0
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: Zlib
PackageLicenseDeclared: Zlib
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:zlib:zlib:1.2.13-r0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/zlib@1.2.13-r0?arch=aarch64&upstream=zlib&distro=alpine-3.17.0