av sbom export
Export a project’s Software Bill of Materials as CycloneDX 1.6 JSON, with an optional embedded VEX block derived from the project’s alert state.
Synopsis
Section titled “Synopsis”av sbom export --project <project-id> [flags]The binary ships as alertavuln; av is the common alias - they are
interchangeable in every example.
Description
Section titled “Description”av sbom export downloads the project’s SBOM from the AlertaVuln API and
writes it to stdout, or to a file with --out. The document is generated
server-side from the project’s tracked tech stack and dependency graph - no
new scan runs at export time.
The output is CycloneDX 1.6 JSON; cyclonedx-json is the only --format
value supported today. Each component carries:
- a Package URL (
purl) where one can be formed for the ecosystem - a
scopeofrequired, oroptionalfor dev-only dependencies - a
licenses[]block when a license is recorded for the package: a single SPDX id is emitted aslicense.id, a compound SPDX expression (OR/AND) asexpression, and any other text aslicense.name alertavuln:*properties recording the ecosystem, discovered manifest paths, maintenance status, and latest known version
A dependencies[] section links the project to its direct packages and each
package to its recorded children.
With --with-vex (on by default) the document also embeds a CycloneDX
vulnerabilities[] (VEX) section derived from the project’s alerts. The
analysis.state of each vulnerability comes from the alert status:
RED becomes exploitable,
YELLOW becomes in_triage, and
GREEN becomes not_affected. Acknowledged
alerts include who acknowledged them and the acknowledgement note in the
analysis detail. Pass --with-vex=false for a plain component inventory.
Options
Section titled “Options”| Flag | Default | Description |
|---|---|---|
--project |
- | Project ID to export (required) |
--format |
cyclonedx-json |
SBOM format; cyclonedx-json is the only supported value today |
--with-vex |
true |
Embed a VEX vulnerabilities[] block derived from the project’s alerts; pass --with-vex=false to omit it |
--out |
- | Write the SBOM to this file instead of stdout |
Examples
Section titled “Examples”Export the SBOM, VEX included, to a file:
av sbom export --project 9f6b2d84-3c1e-4a57-9e2b-7d8c5f01a3e2 --out sbom.cdx.jsonPipe to jq to count the tracked components:
av sbom export --project 9f6b2d84-3c1e-4a57-9e2b-7d8c5f01a3e2 | jq '.components | length'Produce a plain inventory without the vulnerability section:
av sbom export --project 9f6b2d84-3c1e-4a57-9e2b-7d8c5f01a3e2 --with-vex=false --out inventory.cdx.jsonExit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 |
Export succeeded |
1 |
Export failed - not logged in, project not found, the subscription lacks SBOM access, or the API returned an error |
See also
Section titled “See also”av techstack- manage the tracked tech stack the SBOM is generated fromav webhook- manage a project’s webhook alert destinations