Skip to main content

Third-Party Scan REST API

Third-Party Scan REST API allows for components to be scanned using a software bill of materials or SBOM.

Use cases:

  • Program analysis has already identified the data. The data will go through the policy engine and be shown in an Application Composition Report.

  • Sonatype IQ Server performs the program analysis and identifies the data. Then goes through the policy engine and shows an Application Composition Report.

User Permissions Required to Invoke this API call

  • Evaluate Applications

Get the Application ID

Select the application for which you want to evaluate your component. Copy the application ID located under the application name in Lifecycle UI. This is {YourPublicId}.

Retrieve the internal application ID using GET:

GET /api/v2/applications?publicId={YourPublicId}

Using the cURL command:

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/applications?publicId=MyApplicationID'

Response

The response contains the value for the internal application ID, e.g. "id": "9beee80c6fc148dfa51e8b0359ee4d4e"

{
    "applications": [
        {
            "id": "4537e6fe68c24dd5ac83efd97d4fc2f4",
            "publicId": "MyApplicationID",
            "name": "MyApplication",
            "organizationId": "bb41817bd3e2403a8a52fe8bcd8fe25a",
            "contactUserName": "NewAppContact",
            "applicationTags": [
                {
                    "id": "9beee80c6fc148dfa51e8b0359ee4d4e",
                    "tagId": "cfea8fa79df64283bd64e5b6b624ba48",
                    "applicationId": "4bb67dcfc86344e3a483832f8c496419"
                }
            ]
        }
    ]
}

Step 2 - Submit SBOM for evaluation

The API allows valid SBOM files (see the Supported versions and Compatibility section below) to be evaluated against IQ server policies. Refer to CycloneDX and SPDX for more information.

Use the POST request to submit the SBOM for evaluation as below:

POST /api/v2/scan/applications/{applicationInternalId}/sources/{source}?stageId={stageId}

stageIdparam is optional, default value is build. Other allowed values include: develop, stage-release, release, and operate.

source is used to specify the source of the SBOM file or the tool used to create the SBOM.

Added to this will be aCycloneDX SBOM XML formatted body where {version} is 1.5:

<bom xmlns="http://cyclonedx.org/schema/bom/{version}" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
  <components>
    <component type="library">
      <publisher>Apache</publisher>
      <group>org.apache.tomcat</group>
      <name>tomcat-catalina</name>
      <version>9.0.14</version>
      <purl>pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?type=jar</purl>
    </component>
  </components>
</bom>

Supported versions and Compatibility

CycloneDX

IQ Release

BOM Specification

Vulnerability Specification

Supported Formats

77

1.1

XML

78

1.0

XML

81

license element support

XML

114

1.2

1.0

XML

117

1.3

1.0

XML

134

1.4

XML + JSON

170

1.5

XML + JSON

Warning

Support for CycloneDX vulnerability schema 1.0 XML extension is deprecated with BOM specification 1.4, and you must use the vulnerabilities type included with version 1.4. (You could however still use it with previous BOM specification versions)

SPDX

IQ Release

BOM Specification

Supported Formats

166

2.3

XML + JSON

Examples of Valid SBOM Payload

CycloneDX version 1.5 in XML format Expand source

<bom xmlns="http://cyclonedx.org/schema/bom/1.5" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
  <metadata>
    <component type="application" bom-ref="acme-app">
      <name>Acme Application</name>
      <version>9.1.1</version>
    </component>
  </metadata>
  <components>
    <component type="library">
      <name>acme-library</name>
      <version>1.0.0</version>
      <hashes>
        <hash alg="SHA-1">9188560f22e0b73070d2efce670c74af2bdf30af</hash>
        <hash alg="SHA-256">d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964</hash>
      </hashes>
      <cpe>cpe:/a:acme:application:9.1.1</cpe>
    </component>
    <component type="library">
      <group>com.fasterxml.jackson.core</group>
      <name>jackson-databind</name>
      <version>2.8.0</version>
      <licenses>
        <license>
          <id>Apache-2.0</id>
        </license>
      </licenses>
      <purl>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar</purl>
    </component>
  </components>
  <vulnerabilities>
    <vulnerability>
      <id>CVE-2018-7489</id>
      <source>
        <name>NVD</name>
        <url>https://nvd.nist.gov/vuln/detail/CVE-2019-9997</url>
      </source>
      <ratings>
        <rating>
          <source>
            <name>NVD</name>
            <url>https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0</url>
          </source>
          <score>9.8</score>
          <severity>critical</severity>
          <method>CVSSv3</method>
          <vector>AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</vector>
        </rating>
      </ratings>
      <cwes>
        <cwe>184</cwe>
        <cwe>502</cwe>
      </cwes>
      <description>FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.</description>
      <recommendation>Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.</recommendation>
      <advisories>
        <advisory>
          <title>GitHub Commit</title>
          <url>https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2</url>
        </advisory>
      </advisories>
      <created>2021-01-01T00:00:00.000Z</created>
      <published>2021-01-01T00:00:00.000Z</published>
      <updated>2021-01-01T00:00:00.000Z</updated>
      <analysis>
        <state>not_affected</state>
        <justification>code_not_reachable</justification>
        <responses>
          <response>will_not_fix</response>
          <response>update</response>
        </responses>
        <detail>An optional explanation of why the application is not affected by the vulnerable component.</detail>
      </analysis>
      <affects>
        <target>
          <ref>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar</ref>
        </target>
      </affects>
    </vulnerability>
  </vulnerabilities>
  <dependencies>
    <dependency ref="acme-app">
      <dependency ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar" />
      <dependency ref="pkg:maven/org.acme/persistence@3.1.0?type=jar" />
    </dependency>
    <dependency ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar">
      <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar" />
    </dependency>
    <dependency ref="pkg:maven/org.acme/persistence@3.1.0?type=jar">
      <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar" />
    </dependency>
    <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar" />
  </dependencies>
</bom>

CycloneDX version 1.5 in JSON format Expand source

{
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
      "timestamp": "2022-02-21T17:20:41Z",
      "component": {
         "name": "Acme Application",
         "version": "9.1.1",
         "type": "application",
         "bom-ref": "acme-app"
      }
   },
   "components": [
      {
         "name": "acme-library",
         "version": "1.0.0",
         "hashes": [
            {
               "alg": "SHA-1",
               "content": "9188560f22e0b73070d2efce670c74af2bdf30af"
            },
            {
               "alg": "SHA-256",
               "content": "d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964"
            }
         ],
         "cpe": "cpe:/a:acme:application:9.1.1",
         "type": "library"
      },
      {
         "group": "com.fasterxml.jackson.core",
         "name": "jackson-databind",
         "version": "2.8.0",
         "licenses": [
            {
               "license": {
                  "id": "Apache-2.0"
               }
            }
         ],
         "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar",
         "type": "library"
      }
   ],
   "dependencies": [
      {
         "ref": "acme-app",
         "dependsOn": [
            "pkg:maven/org.acme/web-framework@1.0.0?type=jar",
            "pkg:maven/org.acme/persistence@3.1.0?type=jar"
         ]
      },
      {
         "ref": "pkg:maven/org.acme/web-framework@1.0.0?type=jar",
         "dependsOn": [
            "pkg:maven/org.acme/common-util@3.0.0?type=jar"
         ]
      },
      {
         "ref": "pkg:maven/org.acme/persistence@3.1.0?type=jar",
         "dependsOn": [
            "pkg:maven/org.acme/common-util@3.0.0?type=jar"
         ]
      },
      {
         "ref": "pkg:maven/org.acme/common-util@3.0.0?type=jar",
         "dependsOn": []
      }
   ],
   "vulnerabilities": [
      {
         "id": "CVE-2018-7489",
         "source": {
            "name": "NVD",
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997"
         },
         "ratings": [
            {
               "source": {
                  "name": "NVD",
                  "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0"
               },
               "score": 9.8,
               "severity": "critical",
               "method": "CVSSv3",
               "vector": "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            }
         ],
         "cwes": [
            184,
            502
         ],
         "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
         "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.",
         "advisories": [
            {
               "title": "GitHub Commit",
               "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2"
            }
         ],
         "created": "2021-01-01T00:00:00Z",
         "published": "2021-01-01T00:00:00Z",
         "updated": "2021-01-01T00:00:00Z",
         "analysis": {
            "state": "not_affected",
            "justification": "code_not_reachable",
            "response": [
               "will_not_fix",
               "update"
            ],
            "detail": "An optional explanation of why the application is not affected by the vulnerable component."
         },
         "affects": [
            {
               "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar"
            }
         ]
      }
   ]
}

SPDX version 2.3 in XML format Expand source

<?xml version='1.0' encoding='UTF-8'?>
<Document>
    <SPDXID>SPDXRef-DOCUMENT</SPDXID>
    <spdxVersion>SPDX-2.3</spdxVersion>
    <creationInfo>
        <created>2023-08-21T16:49:07Z</created>
        <creators>Tool: Sonatype IQ Server - 1.166.0</creators>
    </creationInfo>
    <name>pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b</name>
    <dataLicense>CC0-1.0</dataLicense>
    <hasExtractedLicensingInfos>
        <licenseId>LicenseRef-No-Sources</licenseId>
        <extractedText>No-Sources</extractedText>
    </hasExtractedLicensingInfos>
    <hasExtractedLicensingInfos>
        <licenseId>LicenseRef-Not-Declared</licenseId>
        <extractedText>Not-Declared</extractedText>
    </hasExtractedLicensingInfos>
    <documentNamespace>http://localhost:8070/ui/links/application/test-app-01/report/ea08930a666041bbbee8c9f6c0e7951b</documentNamespace>
    <packages>
        <SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>Apache-2.0</licenseConcluded>
        <licenseDeclared>Apache-2.0</licenseDeclared>
        <name>org.apache.logging.log4j:log4j-api</name>
        <versionInfo>2.16.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <externalRefs>
            <comment>source: SONATYPE</comment>
            <referenceCategory>SECURITY</referenceCategory>
            <referenceLocator>http://localhost:8070/ui/links/vln/sonatype-2022-6438</referenceLocator>
            <referenceType>advisory</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>(Apache-2.0 AND MIT)</licenseConcluded>
        <licenseDeclared>(Apache-2.0 AND MIT)</licenseDeclared>
        <name>com.fasterxml.jackson.core:jackson-core</name>
        <versionInfo>2.14.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>Apache-2.0</licenseConcluded>
        <licenseDeclared>Apache-2.0</licenseDeclared>
        <name>com.fasterxml.jackson.core:jackson-databind</name>
        <versionInfo>2.14.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <comment>source: NVD</comment>
            <referenceCategory>SECURITY</referenceCategory>
            <referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105</referenceLocator>
            <referenceType>advisory</referenceType>
        </externalRefs>
        <externalRefs>
            <comment>source: NVD</comment>
            <referenceCategory>SECURITY</referenceCategory>
            <referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832</referenceLocator>
            <referenceType>advisory</referenceType>
        </externalRefs>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <externalRefs>
            <comment>source: NVD</comment>
            <referenceCategory>SECURITY</referenceCategory>
            <referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228</referenceLocator>
            <referenceType>advisory</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>Apache-2.0</licenseConcluded>
        <licenseDeclared>Apache-2.0</licenseDeclared>
        <name>org.apache.logging.log4j:log4j-core</name>
        <versionInfo>2.16.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>Apache-2.0</licenseConcluded>
        <licenseDeclared>Apache-2.0</licenseDeclared>
        <name>com.fasterxml.jackson.core:jackson-annotations</name>
        <versionInfo>2.14.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-com.sonatype.testing-test-app-1.0.0</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/com.sonatype.testing/test-app@1.0.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>(LicenseRef-No-Sources AND LicenseRef-Not-Declared)</licenseConcluded>
        <licenseDeclared>(LicenseRef-No-Sources AND LicenseRef-Not-Declared)</licenseDeclared>
        <name>com.sonatype.testing:test-app</name>
        <versionInfo>1.0.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</SPDXID>
        <downloadLocation>NOASSERTION</downloadLocation>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>NOASSERTION</licenseConcluded>
        <licenseDeclared>NOASSERTION</licenseDeclared>
        <name>sonatype:iq_application_Test App 01</name>
        <versionInfo>ea08930a666041bbbee8c9f6c0e7951b</versionInfo>
    </packages>
    <relationships>
        <spdxElementId>SPDXRef-DOCUMENT</spdxElementId>
        <relationshipType>DESCRIBES</relationshipType>
        <relatedSpdxElement>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</relatedSpdxElement>
    </relationships>
</Document>

SPDX version 2.3 in JSON format Expand source

{
    "SPDXID": "SPDXRef-DOCUMENT",
    "spdxVersion": "SPDX-2.3",
    "creationInfo": {
        "created": "2023-08-21T16:46:39Z",
        "creators": [
            "Tool: Sonatype IQ Server - 1.166.0"
        ]
    },
    "name": "pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b",
    "dataLicense": "CC0-1.0",
    "hasExtractedLicensingInfos": [
        {
            "licenseId": "LicenseRef-No-Sources",
            "extractedText": "No-Sources"
        },
        {
            "licenseId": "LicenseRef-Not-Declared",
            "extractedText": "Not-Declared"
        }
    ],
    "documentNamespace": "http://localhost:8070/ui/links/application/test-app-01/report/ea08930a666041bbbee8c9f6c0e7951b",
    "packages": [
        {
            "SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "Apache-2.0",
            "licenseDeclared": "Apache-2.0",
            "name": "org.apache.logging.log4j:log4j-api",
            "versionInfo": "2.16.0"
        },
        {
            "SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar",
                    "referenceType": "purl"
                },
                {
                    "comment": "source: SONATYPE",
                    "referenceCategory": "SECURITY",
                    "referenceLocator": "http://localhost:8070/ui/links/vln/sonatype-2022-6438",
                    "referenceType": "advisory"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "(Apache-2.0 AND MIT)",
            "licenseDeclared": "(Apache-2.0 AND MIT)",
            "name": "com.fasterxml.jackson.core:jackson-core",
            "versionInfo": "2.14.0"
        },
        {
            "SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "Apache-2.0",
            "licenseDeclared": "Apache-2.0",
            "name": "com.fasterxml.jackson.core:jackson-databind",
            "versionInfo": "2.14.0"
        },
        {
            "SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "comment": "source: NVD",
                    "referenceCategory": "SECURITY",
                    "referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105",
                    "referenceType": "advisory"
                },
                {
                    "comment": "source: NVD",
                    "referenceCategory": "SECURITY",
                    "referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832",
                    "referenceType": "advisory"
                },
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar",
                    "referenceType": "purl"
                },
                {
                    "comment": "source: NVD",
                    "referenceCategory": "SECURITY",
                    "referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228",
                    "referenceType": "advisory"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "Apache-2.0",
            "licenseDeclared": "Apache-2.0",
            "name": "org.apache.logging.log4j:log4j-core",
            "versionInfo": "2.16.0"
        },
        {
            "SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "Apache-2.0",
            "licenseDeclared": "Apache-2.0",
            "name": "com.fasterxml.jackson.core:jackson-annotations",
            "versionInfo": "2.14.0"
        },
        {
            "SPDXID": "SPDXRef-maven-com.sonatype.testing-test-app-1.0.0",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/com.sonatype.testing/test-app@1.0.0?type=jar",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "(LicenseRef-No-Sources AND LicenseRef-Not-Declared)",
            "licenseDeclared": "(LicenseRef-No-Sources AND LicenseRef-Not-Declared)",
            "name": "com.sonatype.testing:test-app",
            "versionInfo": "1.0.0"
        },
        {
            "SPDXID": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
            "downloadLocation": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "NOASSERTION",
            "name": "sonatype:iq_application_Test App 01",
            "versionInfo": "ea08930a666041bbbee8c9f6c0e7951b"
        }
    ],
    "relationships": [
        {
            "spdxElementId": "SPDXRef-DOCUMENT",
            "relationshipType": "DESCRIBES",
            "relatedSpdxElement": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b"
        },
        {
            "spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0"
        },
        {
            "spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0"
        },
        {
            "spdxElementId": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0"
        },
        {
            "spdxElementId": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0"
        },
        {
            "spdxElementId": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0"
        }
    ]
}

Note

Note: In the unlikely case of the same component being found more than once in the BOM, only the data of the first component will be processed/shown.

When package-URL is Not Available

  • A component can be specified using the coordinates tags:

    • <name>: mandatory (even when <purl> is set)

    • <version>: mandatory (even when <purl> is set)

    • <group>: optional

    • <publisher>: optional

In addition, each component can include license data as shown in the example below.

<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
  <components>
    <component type="library">
      <publisher>Apache</publisher>
      <group>org.apache.tomcat</group>
      <name>tomcat-catalina</name>
      <version>9.0.14</version>
      <licenses>
        <license>
          <id>Apache-2.0</id>
        </license>
      </licenses>
      <purl>pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?type=jar</purl>
    </component>
  </components>
</bom>

2. A component can be specified using its content hash (SHA-1) along with its name and version:

<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
xmlns="http://cyclonedx.org/schema/bom/1.4">
   <components>
       <component type="library">
            <name>tomcat-catalina</name>
            <version>9.0.16</version>
            <hashes>
                 <hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
            </hashes>
        </component>
   </components>
</bom>

Components may include cpe and swid tags to identify the component when a package-URL is not provided. These tags are read and preserved when available.

<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
    <components>
        <component type="library">
            <name>tomcat-catalina</name>
            <version>9.0.14</version>
            <hashes>
               <hash alg="SHA-1">e7b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
            </hashes>
            <swid tagId="swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.0.14" name="Apache Tomcat" version="9.0.14">
               <text content-type="text/xml" encoding="base64">PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==</text>
            </swid>
        </component>
        <component type="library">
            <name>log4j</name>
            <version>2.12.2</version>
            <hashes>
                <hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
            </hashes>
            <cpe>cpe:2.3:a:apache:log4j:2.12.2:rc1:*:en:*:*:*:*</cpe>
        </component>
    </components>
</bom>

Together, this should look like this:

curl -u admin:admin123 -X POST -H "Content-Type: application/xml" -d '<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"> <components> <component type="library"> <publisher>Apache</publisher> <group>org.apache.tomcat</group> <name>tomcat-catalina</name> <version>9.0.14</version> <purl>pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?type=jar</purl> </component> </components> </bom>' 'http://localhost:8070/api/v2/scan/applications/4537e6fe68c24dd5ac83efd97d4fc2f4/sources/cyclone'

Response

A successful POST will result in JSON formatted data providing a confirmation that the evaluation was submitted.

{
    "statusUrl": "api/v2/scan/applications/a20bc16e83944595a94c2e36c1cd228e/status/9cee2b6366fc4d328edc318eae46b2cb"
}

Step 3 - Checking Status URL to get scan result

Use the statusUrlfrom the response of step 2 above, to check the status of the scan,using the GET:

GET /api/v2/scan/applications/{applicationInternalId}/status/{statusId}

Using the cURL command:

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/scan/applications/a20bc16e83944595a94c2e36c1cd228e/status/9cee2b6366fc4d328edc318eae46b2cb'

Response

A successful GET will result in JSON response object containing scan results.

  • Response when the scan report is ready:

{
    "policyAction": "None",
    "reportHtmlUrl": "http://localhost:8070/ui/links/application/my-app/report/95c4c14e",
    "isError": false,
    "componentsAffected": {
        "critical": 0,
        "severe": 0,
        "moderate": 0
    },
    "openPolicyViolations": {
        "critical": 0,
        "severe": 0,
        "moderate": 0
    },
    "grandfatheredPolicyViolations": 0
        "legacyViolations":0
}

2. Response when the scan report is ready, showing policy actions (available policy actions are None, Warning, and Failure):

{
    "policyAction": "Failure",
    "reportHtmlUrl": "http://localhost:8070/ui/links/application/my-app/report/95c4c14e",
    "isError": false,
    "componentsAffected": {
        "critical": 1,
        "severe": 0,
        "moderate": 0
    },
    "openPolicyViolations": {
        "critical": 2,
        "severe": 1,
        "moderate": 0
    },
    "grandfatheredPolicyViolations": 0
        "legacyViolations":0
 }

3. When the scan/report is not ready yet, this message is returned with HTTP Status 404:

Report with status id a20bc16e83944595a94c2e36c1cd228e for application with id a20bc16e83944595a94c2e36c1cd228e is not ready.

4. When the scan does not exist in IQ Server, this message is returned with HTTP Status 404:

Policy evaluation status with id a20bc16e83944595a94c2e36c1cd228e for public application id cyclone was not found.

5. When there is an error while doing the scan:

{
    "isError": true,
    "errorMessage": “Unable to evaluate policy, the scan 123456783944595a94c2e36c1cd228e could not be processed.”
}

6. Response with additional report URLs (pdf, raw, embeddable). All report URLs are relative URLs.

{
    "policyAction": "Failure",
    "reportHtmlUrl": "ui/links/application/my-app/report/95c4c14e",
        "reportPdfUrl": "ui/links/application/my-app/report/95c4c14e/pdf",
        "reportDataUrl": "api/v2/applications/my-app/reports/95c4c14e/raw",
        "embeddableReportHtmlUrl": "ui/links/application/my-app/report/95c4c14e/embeddable"
    "isError": false,
    "componentsAffected": {
        "critical": 1,
        "severe": 0,
        "moderate": 0
    },
    "openPolicyViolations": {
        "critical": 2,
        "severe": 1,
        "moderate": 0
    },
    "grandfatheredPolicyViolations": 0
        "legacyViolations":0
}

7. Response when CycloneDX SBOM includes a dependency graph along with the parent component data in the metadata element, including dependency information and InnerSource insight data:

<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
  <metadata>    
    <component type="application" bom-ref="acme-app">
      <name>Acme Application</name>
      <version>9.1.1</version>
      <purl>pkg:maven/org.acme/acme-app@9.1.1?type=jar</purl>
    </component>
  </metadata>
  <components>
    <component type="framework" bom-ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar">
      <group>org.acme</group>
      <name>web-framework</name>
      <version>1.0.0</version>
      <purl>pkg:maven/org.acme/web-framework@1.0.0?type=jar</purl>
    </component>
    <component type="library" bom-ref="pkg:maven/org.acme/persistence@3.1.0?type=jar">
      <group>org.acme</group>
      <name>persistence</name>
      <version>3.1.0</version>
      <purl>pkg:maven/org.acme/persistence@3.1.0?type=jar</purl>
    </component>
    <component type="library" bom-ref="pkg:maven/org.acme/common-util@3.0.0?type=jar">
      <group>org.acme</group>
      <name>common-util</name>
      <version>3.0.0</version>
      <purl>pkg:maven/org.acme/common-util@3.0.0?type=jar</purl>
    </component>
  </components>
  <dependencies>
    <dependency ref="acme-app">
      <dependency ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar"/>
      <dependency ref="pkg:maven/org.acme/persistence@3.1.0?type=jar"/>
    </dependency>
    <dependency ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar">
      <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar"/>
    </dependency>
    <dependency ref="pkg:maven/org.acme/persistence@3.1.0?type=jar">
      <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar"/>
    </dependency>
    <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar"/>
  </dependencies>
</bom>

Note

As part of our inclusive language initiatives stemming from one of Sonatype's core values "Embrace Inclusion", the response field grandfathered Policy Violations has been deprecated.

Use the legacyViolationCount response field.

Refer to Managing Legacy Violations for more information.