Component Details REST API - v2

The Component Details API provides all available (to Sonatype) security vulnerability, license data, age, and popularity information for a specified component. What is not included, is any information related to policy violations for an evaluated application.

If you are looking for component information for a component that has been evaluated as part of an application, please see the Component Details by Report API.

This API uses POST REST resource

Below, we have provided a step-by-step example using the HTTP client cURL, though any HTTP client could be used.

Step 1: Get the Component HASH or Component Identifier

Depending on the type of component, and the information you have, the API allows you to specify the component hash, the component identifier (or its equivalent package URL). In our example we’ll be searching using Maven coordinates.

If desired you can specify more than one component.

Step 2 - Submit the Specified Component to Retrieve Details

First let’s take a look at the POST resource:

POST api/v2/components/details

You will also need to include JSON data specifying the component information you are providing.

{
  "components": [
    {
      "hash": null,
      "componentIdentifier": {
        "format": "maven",
        "coordinates": {
          "artifactId": "tomcat-util",
          "extension": "jar",
          "groupId": "tomcat",
          "version": "5.5.23"
         }
      }
    }
  ]
}

Putting this together with the cURL command, as well as including the IQ Server URL for the POST resource path, you should have something that looks like this:

curl -u admin:admin123 -X POST -H "Content-Type: application/json" -d '{"components":[{"hash": null,"componentIdentifier": {"format":"maven","coordinates": {"artifactId":"tomcat-util","extension":"jar","groupId":"tomcat","version":"5.5.23"}}}]}' 'http://localhost:8070/api/v2/components/details'

Using package URL Identifiers

NEW IN RELEASE 67

This API supports getting component details using package URL identifiers, as shown below trying to get the information of a Maven component.

{
 "components": [
   {
     "packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar"
   }
 ]
}

Here is an example cURL command to run this request.

curl -u admin:admin123 -X POST -H "Content-Type: application/json" -d '{"components":[{"packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar"}]}' 'http://localhost:8070/api/v2/components/details'

The IQ Server will then respond with the component details, regardless of the identifier (component, packageUrl or hash) used.  Please note that the returned hash value is truncated and is meant to be used as an identifier that can be passed into subsequent REST API calls. It is not intended to be used as a checksum. An example is provided below.


NEW IN RELEASE 67

The response field "packageUrl" is available from release 67.

{
   "componentDetails":[
      {
         "component":{
            "packageUrl": "pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
            "hash":"1249e25aebb15358bedd",
            "componentIdentifier":{
               "format":"maven",
               "coordinates":{
                  "artifactId":"tomcat-util",
                  "classifier":"",
                  "extension":"jar",
                  "groupId":"tomcat",
                  "version":"5.5.23"
               }
            }
         },
         "matchState":"exact",
         "catalogDate":"2008-01-29T01:45:22.000-05:00",
         "relativePopularity":100,
         "licenseData":{
            "declaredLicenses":[
               {
                  "licenseId":"Apache-2.0",
                  "licenseName":"Apache-2.0"
               }
            ],
            "observedLicenses":[
               {
                  "licenseId":"No-Sources",
                  "licenseName":"No Sources"
               }
            ]
         },
         "securityData":{
            "securityIssues":[
               {
                  "source":"cve",
                  "reference":"CVE-2007-3385",
                  "severity":4.3,
                  "url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385",
                  "threatCategory":"severe"
               },
               {
                  "source":"cve",
                  "reference":"CVE-2007-5333",
                  "severity":5.0,
                  "url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333",
                  "threatCategory":"severe"
               },
               {
                  "source":"cve",
                  "reference":"CVE-2011-2526",
                  "severity":4.4,
                  "url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526",
                  "threatCategory":"severe"
               },
               {
                  "source":"cve",
                  "reference":"CVE-2012-0022",
                  "severity":5.0,
                  "url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0022",
                  "threatCategory":"severe"
               },
               {
                  "source":"osvdb",
                  "reference":"37071",
                  "severity":4.3,
                  "url":"http://osvdb.org/37071",
                  "threatCategory":"severe"
               },
               {
                  "source":"osvdb",
                  "reference":"41435",
                  "severity":5.0,
                  "url":"http://osvdb.org/41435",
                  "threatCategory":"severe"
               },
               {
                  "source":"osvdb",
                  "reference":"73797",
                  "severity":4.4,
                  "url":"http://osvdb.org/73797",
                  "threatCategory":"severe"
               },
               {
                  "source":"osvdb",
                  "reference":"73798",
                  "severity":4.4,
                  "url":"http://osvdb.org/73798",
                  "threatCategory":"severe"
               },
               {
                  "source":"osvdb",
                  "reference":"78573",
                  "severity":5.0,
                  "url":"http://osvdb.org/78573",
                  "threatCategory":"severe"
               }
            ]
         }
      }
   ]
}