Workaround for SBOM’s components array greater than 5000

[alvin-otutu]

A ValidationException error is returned for ScanSbom when the format limit of 5000 components is exceeded. ScanSbom supports a maximum of 5,000 components per request and supports a maximum response size of 10MB (compressed or uncompressed).

This error indicates that SBOM’s components array is too large for a single Inspector Scan API call.

We can successfully scan entire SBOM via a segmented approach. This involves dividing the SBOM into smaller sections, with each section containing no more than 5000 components. Once divided, process these segments individually through the Inspector Scan API.

---

Understand and validate SBOM structure

All SBOMs emitted by Inspector’s SBOM Generator conform to the CycloneDX 1.5 spec. To ensure the split documents remain valid (and include every required element), validate each chunk against the official schema:

CycloneDX 1.5 specification:
https://cyclonedx.org/specification/overview/
CycloneDX 1.5 documentation:
https://cyclonedx.org/docs/1.6/json/
CycloneDX 1.5 JSON schema:
https://cyclonedx.org/schema/bom-1.5.schema.json

---

Count and Scan chunks

1. Count the total number of items in the components array.

If the count is over 5000, decide on a chunk size (i.e 4000 - 4500 components to leave room).

After decision on chunk size (less than 5000), extract and split the components array.

Make sure each chunk retains the original SBOM’s header metadata; only the components array should change.

Reassemble each SBOM chunk.

2. Preparing chunked SBOMs

For each slice of components, create a new SBOM document with the same header metadata.

Validate the resulting SBOMs to ensure they are well‑formed.

3. Scan each chunk with Inspector Scan API

Loop through each SBOM chunk and call Inspector Scan API.

When Scan API is invoked, collect the distinct scan results.

4. Merging scan results

Once all chunks have finished scanning, choose to combine the results into a single report and deduplicate any overlapping vulnerabilities in case the same vulnerabilities appear in multiple chunks.

[bluesentinelsec]

Hello, thank you for posting detailed steps for working around the 5,000 component limit.
We understand the 5,000 component limit can prevent scanning artifacts with many packages installed.
The Inspector GitHub Action provides mechanisms for tuning your scans, including skipping package scanners, or skipping files/directories.

Unfortunately we are not planning on implementing workarounds for the 5,000 component limit at this time.

[bluesentinelsec]

I'll leave this issue open for 24 hours. Feel free to reach out if you have follow-on questions or concerns.