Obsidian
Back to site Book a demo

Export a CBOM

Obsidian exports a Cryptography Bill of Materials (CBOM) in CycloneDX format for enterprise exchange and downstream tooling. CycloneDX 1.7 is the default; 1.6 is available for consumers that have not moved yet.

Download an export

CBOM routes are authenticated and scoped to an organization:

# Default: CycloneDX 1.7
curl -s http://localhost:8080/api/v1/orgs/acme/cbom/standards/cyclonedx-1.7.json

# Compatibility: CycloneDX 1.6
curl -s http://localhost:8080/api/v1/orgs/acme/cbom/standards/cyclonedx-1.6.json

The 1.7 route returns Content-Type: application/vnd.cyclonedx+json; version=1.7 and downloads as {org}-cbom-cyclonedx-1.7.cdx.json. You can also export from the Inventory page in the dashboard.

What’s in the export

  • Repository and application context as software components.
  • Discovered libraries such as OpenSSL as component.type=library — not as cryptographic assets.
  • Algorithms, protocols, certificates, and related material as component.type=cryptographic-asset with CycloneDX crypto properties.
  • Hash, MAC, KDF, key-agreement, KEM, and DRBG primitives carry their matching CycloneDX crypto functions when the evidence is unambiguous.
  • Source locations as CycloneDX evidence occurrences; product-specific identifiers stay on namespaced crypto-discovery:* properties.

Ambiguous usage is exported conservatively — unclear RSA usage, for example, is marked primitive=unknown rather than guessed.

Limitations

  • The export reflects what the scanner discovered; coverage of your codebase determines which assets appear. It is not, on its own, proof of complete organizational coverage or compliance.
  • SPDX CBOM is not exported — CycloneDX provides the dedicated CBOM object model this product targets.