Skip to content

av sbom export

Export a project’s Software Bill of Materials as CycloneDX 1.6 JSON, with an optional embedded VEX block derived from the project’s alert state.

Terminal window
av sbom export --project <project-id> [flags]

The binary ships as alertavuln; av is the common alias - they are interchangeable in every example.

av sbom export downloads the project’s SBOM from the AlertaVuln API and writes it to stdout, or to a file with --out. The document is generated server-side from the project’s tracked tech stack and dependency graph - no new scan runs at export time.

The output is CycloneDX 1.6 JSON; cyclonedx-json is the only --format value supported today. Each component carries:

  • a Package URL (purl) where one can be formed for the ecosystem
  • a scope of required, or optional for dev-only dependencies
  • a licenses[] block when a license is recorded for the package: a single SPDX id is emitted as license.id, a compound SPDX expression (OR / AND) as expression, and any other text as license.name
  • alertavuln:* properties recording the ecosystem, discovered manifest paths, maintenance status, and latest known version

A dependencies[] section links the project to its direct packages and each package to its recorded children.

With --with-vex (on by default) the document also embeds a CycloneDX vulnerabilities[] (VEX) section derived from the project’s alerts. The analysis.state of each vulnerability comes from the alert status: RED becomes exploitable, YELLOW becomes in_triage, and GREEN becomes not_affected. Acknowledged alerts include who acknowledged them and the acknowledgement note in the analysis detail. Pass --with-vex=false for a plain component inventory.

Flag Default Description
--project - Project ID to export (required)
--format cyclonedx-json SBOM format; cyclonedx-json is the only supported value today
--with-vex true Embed a VEX vulnerabilities[] block derived from the project’s alerts; pass --with-vex=false to omit it
--out - Write the SBOM to this file instead of stdout

Export the SBOM, VEX included, to a file:

Terminal window
av sbom export --project 9f6b2d84-3c1e-4a57-9e2b-7d8c5f01a3e2 --out sbom.cdx.json

Pipe to jq to count the tracked components:

Terminal window
av sbom export --project 9f6b2d84-3c1e-4a57-9e2b-7d8c5f01a3e2 | jq '.components | length'

Produce a plain inventory without the vulnerability section:

Terminal window
av sbom export --project 9f6b2d84-3c1e-4a57-9e2b-7d8c5f01a3e2 --with-vex=false --out inventory.cdx.json
Code Meaning
0 Export succeeded
1 Export failed - not logged in, project not found, the subscription lacks SBOM access, or the API returned an error
  • av techstack - manage the tracked tech stack the SBOM is generated from
  • av webhook - manage a project’s webhook alert destinations