SPDX REST API
The SPDX REST API returns an SPDX SBOM document (in both XML and JSON formats) containing coordinates, licenses, and dependencies for components in an IQ Server-generated application scan report. This REST API supports all component formats.
Methods supported:
GET
To use SPDX REST API, first retrieve the internal application ID and then pass it as an input parameter.
Step 1: Get the internal application ID
Use the Application REST API with the application’s public ID to retrieve the internal application ID for the application you need to generate the SBOM.
GET /api/v2/applications?publicId={YourPublicId}Step 2: Generate the SBOM
Use the internal application ID from step 1 to generate the SPDX BOM document
GET /api/v2/spdx/{applicationInternalId}/reports/{scanId}scanId corresponds to the application scan for which an IQ Server report was created.
This API can also retrieve the SBOM based on the latest application evaluation stage, by specifying the stageId in the GET method.
GET /api/v2/spdx/{applicationInternalId}/stages/{stageId}Possible values for stageId are build , stage-release , release , operate.
Optional Query Parameters
Both the endpoints above support these optional query parameters:
Query Parameter | Description | Accepted Values | Default Value |
|---|---|---|---|
format | SPDX SBOM file format | json, xml | json |
spdxVersion | SPDX SBOM specification version (planned support for future versions) | 2.3 | 2.3 |
generateCycloneDx | If set to "true" the SPDX SBOM file and its CycloneDx SBOM equivalent will be returned together as a tar.gz archive | true, false | false |
Example to generate a SPDX SBOM file in XML format
curl -u admin:admin123 -X GET http://localhost:8070/api/v2/spdx/b7b2b2cc9c864ea59eb7fa0fb1d7f9ff/reports/bfdb562fad2443e593357b67eb4095e7?format=xml
Example to generate both SPDX and CycloneDx SBOM files as a tar.gz file, in JSON format
curl -u admin:admin123 -O -J -X GET http://localhost:8070/api/v2/spdx/b7b2b2cc9c864ea59eb7fa0fb1d7f9ff/reports/bfdb562fad2443e593357b67eb4095e7?format=json&generateCycloneDx=true
Response
A file with the filename format {applicationPublicId}-{stage}-{scanId}.spdx.[xml|json] will be created, if you have used the curl command with options -O -J (see example above.)
Sample JSON Response
{
"SPDXID": "SPDXRef-DOCUMENT",
"spdxVersion": "SPDX-2.3",
"creationInfo": {
"created": "2023-07-05T15:19:44Z",
"creators": [
"Tool: Sonatype IQ Server - 1.165.0-01"
]
},
"documentNamespace": "http://localhost:8070/ui/links/application/local-iq-app/report/d6ffc430f2594d2480c7af837eb2a5b6",
"packages": [
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "(AGPL-3.0 AND MIT)",
"licenseDeclared": "Apache-2.0",
"name": "com.fasterxml.jackson.core:jackson-annotations",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.sonatype.testing/pr-comment-02@1.0-SNAPSHOT?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "(Not-Declared AND No-Sources)",
"licenseDeclared": "(Not-Declared AND No-Sources)",
"name": "com.sonatype.testing:pr-comment-02",
"versionInfo": "1.0-SNAPSHOT"
},
{
"SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar",
"referenceType": "purl"
},
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105",
"referenceType": "advisory"
},
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832",
"referenceType": "advisory"
},
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228",
"referenceType": "advisory"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "org.apache.logging.log4j:log4j-core",
"versionInfo": "2.16.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar",
"referenceType": "purl"
},
{
"comment": "source: SONATYPE",
"referenceCategory": "SECURITY",
"referenceLocator": "http://localhost:8070/ui/links/vln/sonatype-2022-6438",
"referenceType": "advisory"
}
],
"filesAnalyzed": false,
"licenseConcluded": "(Apache-2.0 AND MIT)",
"licenseDeclared": "(Apache-2.0 AND MIT)",
"name": "com.fasterxml.jackson.core:jackson-core",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "org.apache.logging.log4j:log4j-api",
"versionInfo": "2.16.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "com.fasterxml.jackson.core:jackson-databind",
"versionInfo": "2.14.0"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT"
},
{
"spdxElementId": "SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0"
},
{
"spdxElementId": "SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0"
},
{
"spdxElementId": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0"
},
{
"spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0"
},
{
"spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0"
}
]
}Sample XML Response
<?xml version='1.0' encoding='UTF-8'?>
<Document>
<SPDXID>SPDXRef-DOCUMENT</SPDXID>
<spdxVersion>SPDX-2.3</spdxVersion>
<creationInfo>
<created>2023-07-05T15:22:50Z</created>
<creators>Tool: Sonatype IQ Server - 1.165.0-01</creators>
</creationInfo>
<documentNamespace>http://localhost:8070/ui/links/application/local-iq-app/report/d6ffc430f2594d2480c7af837eb2a5b6</documentNamespace>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</SPDXID>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>(AGPL-3.0 AND MIT)</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-annotations</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT</SPDXID>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.sonatype.testing/pr-comment-02@1.0-SNAPSHOT?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>(Not-Declared AND No-Sources)</licenseConcluded>
<licenseDeclared>(Not-Declared AND No-Sources)</licenseDeclared>
<name>com.sonatype.testing:pr-comment-02</name>
<versionInfo>1.0-SNAPSHOT</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</SPDXID>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>org.apache.logging.log4j:log4j-core</name>
<versionInfo>2.16.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</SPDXID>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<externalRefs>
<comment>source: SONATYPE</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://localhost:8070/ui/links/vln/sonatype-2022-6438</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>(Apache-2.0 AND MIT)</licenseConcluded>
<licenseDeclared>(Apache-2.0 AND MIT)</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-core</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</SPDXID>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>org.apache.logging.log4j:log4j-api</name>
<versionInfo>2.16.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</SPDXID>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-databind</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<relationships>
<spdxElementId>SPDXRef-DOCUMENT</spdxElementId>
<relationshipType>DESCRIBES</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</relatedSpdxElement>
</relationships>
</Document>