Download an SBOM

Downloading returns one version's SBOM. You need two IDs: the environment ID (projectId) and the version ID (sbomId). Get them from List Products and Versions.

The SBOM content comes back base64-encoded inside the JSON response. You decode it to get the file.

The request

curl https://api.interlynk.io/lynkapi \
  -H "Authorization: Bearer $INTERLYNK_SECURITY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "query downloadSbom($projectId: Uuid!, $sbomId: Uuid!) { sbom(projectId: $projectId, sbomId: $sbomId) { download(sbomId: $sbomId) { ready content contentType filename } } }",
    "variables": {
      "projectId": "1fade833-0603-4139-8ca0-26592264a4c9",
      "sbomId": "4e423fe0-d089-4025-b1e4-8fe9608138d6"
    }
  }'

Response:

{
  "data": {
    "sbom": {
      "download": {
        "ready": true,
        "content": "ewogICJib21Gb3JtYXQiOiAiQ3ljbG9uZURYIiwK...",
        "contentType": "application/json",
        "filename": "payments-service.cdx.json"
      }
    }
  }
}

Decode the content

The content field is base64. Pipe the response through jq and base64 to write the SBOM straight to a file:

sbom.json now holds the CycloneDX or SPDX document.

Download options

Pass extra variables to control format and content. Add them to variables and to the download(...) arguments.

Example, download as SPDX 2.3 with vulnerabilities:

When the SBOM is not ready

A version is not downloadable until the platform finishes processing it. If you download too soon, ready is false and content is empty.

To make the API wait for processing, pass requireCompleted with the stages you need. Ask download for processingStatus so you can see what is pending.

Valid stages: AUTOMATION, VULN_SCAN, POLICY_SCAN.

If ready is still false, wait and retry. See Check Processing Status for the full pattern.