Software Bill of Materials

Has anyone approached the problem of how to create a Software Bill of Materials (SBOM) for an Outsystems solution?

An SBOM lists all elements that are used by a software solution, including any libraries, open source components or proprietary software products. It is required in some regulatory regimes and aids the identification of security risks and threats.

Within the Outsystems platform, I can of course report which modules make up my application, and I could identify which modules come from the Forge. However I cannot see an easy way to go to the next level, and identify which Forge components are utilising open-source libraries.

Any suggestions or solutions would be welcome!

I think listing out the modules used in all applications should be fair enough. Make sure you include version numbers only if the authorities insist. It won't make sense to drill down deeper, as there's no end to it.

The libraries used inside modules and extensions, collectively build up the whole module. If you dive deeper, those libraries might also use some other third-party libraries in recursion, which may eventually take you to the binary conversions of +6 and -6 voltages of electricity :)

Just submit it with the list of modules you're utilising and since it is for regulatory purpose, you'll be doing your duty to best identify the list of third party libraries used by your application.

Hi Darren,

I would imagine that this is something you want to do at some point in your delivery pipeline on the built codebase (.net, javascript, css...) that comes out of the Outsystems models when publishing / deploying.

I know nothing about this type of stuff, but I would look in direction of something like integrating with Jenkins and using some available SBOM tool that works together with Jenkins.

See this session next week for integrating with Jenkins.


Hi @Dorine Boudry 

When I click your link this shows met Nest step 2022 is over.

Hi Darren,

I'm in the same spot you were 1 year ago. 

Did you manage the get something, how?


I didn't really make much progress on this and added it to the "too hard" pile!

There are tools out there that will generate an SBOM from source code, but that requires me to intercept the code that Outsystems generates upon compilation/publishing, which didn't seem a reliable way of doing things.

I have generated a list of all modules/extensions in my solution by querying the system entities, and using the Extended Metamodel forge component, I can identify which of those came from the Forge. I left it at that for the moment, until I get a customer requirement that needs me to go futher.

Of course, you could download all extensions, open them one-by-one and "edit source code" which will extract the contents, and run such a tool on that. Quite labour-intensive, but it could be done. As for the Platform itself, you'd probably have to ask OutSystems Support. They won't use any GPLed libraries, so probably BCD-licenced stuff.


I know OutSystems is working on downloading the generated source code, I don’t know the expected release date but I think this will be soon since EAP are closed and the page tells you there finalising the features, if you online need a copy once for now, I heard you could ask OutSystems Support of a copy of the code, but i’ve never done that, 

Together with the new features coming, and the session Dorine shared you could setup a automated SBOM generator.

Hi Damian,

How do you "know" this? Because I haven't heard anything about that, and typically MVPs are in the loop on such things.

Hi Kilian, 

I’ve seen it on the early access page, and I saw it on the lifetime api documentation, but this is removed now. 

On our environment lifetime api I can see the calls, but the platforms servers are not enabled to handle the requests, 

That is the only thing I know, because you can’t find any information of an expected release date,

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.