Getting Started

Errors

BOM Doctor is rate limited by GitHub. If you get a rate limiting error, please try again later. We also have a limit on the number of evluations per hour and per day. If you recieve error 429, try again later.

BOM Doctor is publicly available at https://bomdoctor.sonatype.com/. You do not need to be Sonatype customer to use it!

There are a few ways to get a checkup from the Doctor.

example of the BOM Doctor landing page with three options for getting started

Option 1: Add a GitHub Project URL

BOM Doctor can look up GitHub package URLs. Just copy/paste the URL and specify the branch name.

example: https://github.com/WebGoat/WebGoat.

Note that BOM Doctor can only access public repositories.

Option 2: Search for a project (pURL)

BOM Doctor can also search for a project with a Package URL (pURL). A pURL is a coordinate scheme for sharing a component's coordinates located on public repositories. We support Maven Central, with other repositories to come.

Learn how to create a package URL here.

Option 3:

BOM doctor can make recommendations based on a CycloneDX format SBOM.

CycloneDX is a modern, full-stack, versatile SBOM format. Generate a CycloneDX SBOM from your source repo with the following command:

git clone <the github repo link>
cd <repo name>
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom

Then, drag-and-drop or browse and upload your SBOM file.

Up Next

Viewing Your Results