SBOM SPDX Ingestion of Github Generated SBOM SPDX Files
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-21-2025 12:45 PM
Presently, Github generated SBOM SPDX files cannot be ingested into ServiceNow SBOM capability without a conversion or, at minimum, a manual code hack in the json file (which is not ideal).
Although we can always automate SBOM ingestion via actions, it wouldn't be a bad idea for the ServiceNow SBOM ingestion engine to process Github SPDX files.
Just a suggestion.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-22-2025 08:29 AM
Hey @miguelsa — totally agree with you on this pain point. We’ve run into the same challenge when trying to upload SBOMs retrieved from GitHub’s Dependency Graph API. It’s one of the main reasons we built sbommv — to solve two big pain points:
Seamlessly transfer SBOMs between systems without manual steps or glue scripts and managing all the complexities behind the scene.
Automatically convert SBOM formats to match what the destination system expects
Your use case fits perfectly:
Pulling SBOMs from your GitHub repo using the Dependency Graph API (which gives you SPDX format), then converting that to CycloneDX using the protobom library under the hood, and finally uploading it to something like Dependency-Track or ServiceNow.
Here is the same example: https://github.com/interlynk-io/sbommv/blob/main/examples/github_dtrack_examples.md#12-github-api-me...