SBOM
Software Bill of Materials for desktop apps in CycloneDX, SPDX, or native JSON format.
GET /v1/apps/{bundleId}/sbom — Software Bill of Materials for a desktop app. Returns all detected dependencies in standard SBOM formats compatible with vulnerability scanners like Snyk, Grype, and Dependency-Track.
Plan required: Team
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
bundleId | path | yes | App bundle ID |
format | string | no | json (default), cyclonedx (CycloneDX 1.5), spdx (SPDX 2.3) |
version | string | no | Specific app version (default: latest) |
Example request
curl "https://api.desktopinsights.com/v1/apps/org.whispersystems.signal-desktop/sbom" \ -H "Authorization: Bearer di_live_your_key_here"
Response (native JSON)
{
"data": {
"app": {
"name": "Signal",
"bundleId": "org.whispersystems.signal-desktop",
"version": "7.30.0",
"runtime": "electron",
"electronVersion": "40.4.1",
"platform": "macos"
},
"generatedAt": "2026-03-15T00:00:00Z",
"components": [
{
"name": "Electron",
"version": "40.4.1",
"type": "framework",
"source": "embedded",
"cpe": "cpe:2.3:a:electronjs:electron:40.4.1:*:*:*:*:*:*:*"
},
{
"name": "Chromium",
"version": "130.0.6723.116",
"type": "framework",
"source": "embedded",
"cpe": "cpe:2.3:a:google:chromium:130.0.6723.116:*:*:*:*:*:*:*"
},
{
"name": "better-sqlite3",
"version": "11.1.2",
"type": "library",
"source": "npm",
"license": "MIT"
},
{
"name": "@signalapp/libsignal-client",
"version": "0.52.1",
"type": "library",
"source": "npm",
"license": "AGPL-3.0"
}
],
"summary": {
"totalComponents": 106,
"bySource": { "npm": 98, "embedded": 4, "native": 4 },
"knownVulnerabilities": 2,
"oldestDependency": { "name": "lodash", "version": "4.17.21", "age": "3 years" }
},
"licenseAnalysis": {
"distribution": { "MIT": 62, "Apache-2.0": 18, "ISC": 8, "BSD-3-Clause": 5, "AGPL-3.0": 1, "unknown": 2 },
"riskLevel": "high",
"copyleftComponents": [{
"name": "@signalapp/libsignal-client",
"version": "0.52.1",
"license": "AGPL-3.0",
"risk": "AGPL requires source disclosure for network-accessible services using this library"
}],
"unknownLicenseComponents": [
{ "name": "internal-crypto-utils", "version": "1.0.0", "source": "npm" }
],
"note": "1 AGPL dependency and 2 unknown-license dependencies flagged for legal review"
}
},
"meta": {
"requestId": "req_sbom123",
"creditsUsed": 1,
"creditsRemaining": 9994
}
}
Output formats
Native JSON (default)
Our custom format with enriched metadata including license analysis, vulnerability counts, and CPE identifiers.
CycloneDX
?format=cyclonedx — Standard CycloneDX 1.5 JSON that plugs directly into Snyk, Wiz, Grype, Dependency-Track, and other vulnerability scanners.
SPDX
?format=spdx — Standard SPDX 2.3 JSON for compliance workflows and license auditing tools.
Component fields
| Field | Type | Description |
|---|---|---|
name | string | Dependency name |
version | string | Detected version |
type | string | framework, library, or native |
source | string | npm, embedded, native, cocoapods, spm, cargo |
license | string | Detected license (e.g., MIT, Apache-2.0) |
cpe | string | CPE identifier for vulnerability matching (when available) |
License analysis
The SBOM includes automated license risk assessment:
| Risk level | Meaning |
|---|---|
none | All dependencies use permissive licenses |
low | Minor copyleft (LGPL) or weak copyleft licenses present |
medium | Some copyleft licenses (MPL-2.0) or a few unknown licenses |
high | Strong copyleft (GPL, AGPL) or many unknown licenses |
Copyleft and unknown-license components are individually listed for legal review.
Use cases
Security teams
Feed SBOMs into vulnerability scanners to identify known CVEs in desktop app dependencies. Especially important for Electron apps embedding Chromium.
M&A due diligence
Before acquiring a company, assess their desktop app's license exposure. Copyleft dependencies can create legal obligations that affect deal terms.
Compliance
Regulatory requirements increasingly mandate SBOM disclosure. Desktop Insights provides this for third-party apps your organization depends on.