Component Details REST API - v2

The Component Details API provides all available (to Sonatype) security vulnerability, license data, age, and popularity information for a specified component. What is not included, is any information related to policy violations for an evaluated application.

Lifecycle Developer Features

The Advanced Development Pack (ADP) capabilities have been integrated into the general Lifecycle product. These changes are accessible with IQ Server version 100 and above. For customers with IQ server versions between 100 and 134, your admin may need to re-upload your organization’s existing Lifecycle license or restart the IQ Server to see these additional capabilities.


If you are looking for component information for a component that has been evaluated as part of an application, please see the Component Details by Report API.

This API uses POST REST resource

Below, we have provided a step-by-step example using the HTTP client cURL, though any HTTP client could be used.

Step 1: Get the Component HASH or Component Identifier

Depending on the type of component, and the information you have, the API allows you to specify the component hash, the component identifier (or its equivalent package URL). In our example we’ll be searching using Maven coordinates.

If desired you can specify more than one component.

Step 2 - Submit the Specified Component to Retrieve Details

First let’s take a look at the POST resource:

POST api/v2/components/details

You will also need to include JSON data specifying the component information you are providing.

{
  "components": [
    {
      "hash": null,
      "componentIdentifier": {
        "format": "maven",
        "coordinates": {
          "artifactId": "tomcat-util",
          "extension": "jar",
          "groupId": "tomcat",
          "version": "5.5.23"
         }
      }
    }
  ]
}

Putting this together with the cURL command, as well as including the IQ Server URL for the POST resource path, you should have something that looks like this:

curl -u admin:admin123 -X POST -H "Content-Type: application/json" -d '{"components":[{"hash": null,"componentIdentifier": {"format":"maven","coordinates": {"artifactId":"tomcat-util","extension":"jar","groupId":"tomcat","version":"5.5.23"}}}]}' 'http://localhost:8070/api/v2/components/details'

Using package URL Identifiers

NEW IN RELEASE 67

This API supports getting component details using package URL identifiers, as shown below trying to get the information of a Maven component.

{
 "components": [
   {
     "packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar"
   }
 ]
}

Here is an example cURL command to run this request.

curl -u admin:admin123 -X POST -H "Content-Type: application/json" -d '{"components":[{"packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar"}]}' 'http://localhost:8070/api/v2/components/details'

The IQ Server will then respond with the component details, regardless of the identifier (component, packageUrl or hash) used.  Please note that the returned hash value is truncated and is meant to be used as an identifier that can be passed into subsequent REST API calls. It is not intended to be used as a checksum. An example is provided below.


NEW IN RELEASE 67

The response field "packageUrl" is available from release 67.


NEW IN RELEASE 88

The response field "effectiveLicenses" is available from release 88.


NEW IN RELEASE 100


The response field "projectData" is available from release 100.


NEW IN RELEASE 134

The response fields "hygieneRating" and "integrityRating" are available from release 134.


{
   "componentDetails":[
      {
         "component":{
            "packageUrl": "pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
            "hash":"1249e25aebb15358bedd",
            "componentIdentifier":{
               "format":"maven",
               "coordinates":{
                  "artifactId":"tomcat-util",
                  "classifier":"",
                  "extension":"jar",
                  "groupId":"tomcat",
                  "version":"5.5.23"
               }
            },
            "displayName": "tomcat : tomcat-util : 5.5.23"
         },
         "matchState":"exact",
         "catalogDate":"2008-01-29T01:45:22.000-05:00",
         "relativePopularity":100,
         "hygieneRating": "Exemplar",
         "integrityRating": "Pending",
         "licenseData":{
            "declaredLicenses":[
               {
                  "licenseId":"Apache-2.0",
                  "licenseName":"Apache-2.0"
               }
            ],
            "observedLicenses":[
               {
                  "licenseId":"No-Sources",
                  "licenseName":"No Sources"
               }
            ],
            "effectiveLicenses":[
               {
                  "licenseId":"Apache-2.0",
                  "licenseName":"Apache-2.0"
               }
            ]
         },
         "securityData":{
            "securityIssues":[
               {
                  "source":"cve",
                  "reference":"CVE-2007-3385",
                  "severity":4.3,
                  "url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385",
                  "threatCategory":"severe"
               },
               {
                  "source":"cve",
                  "reference":"CVE-2007-5333",
                  "severity":5.0,
                  "url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333",
                  "threatCategory":"severe"
               },
               {
                  "source":"cve",
                  "reference":"CVE-2011-2526",
                  "severity":4.4,
                  "url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526",
                  "threatCategory":"severe"
               },
               {
                  "source":"cve",
                  "reference":"CVE-2012-0022",
                  "severity":5.0,
                  "url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0022",
                  "threatCategory":"severe"
               },
               {
                  "source":"osvdb",
                  "reference":"37071",
                  "severity":4.3,
                  "url":"http://osvdb.org/37071",
                  "threatCategory":"severe"
               },
               {
                  "source":"osvdb",
                  "reference":"41435",
                  "severity":5.0,
                  "url":"http://osvdb.org/41435",
                  "threatCategory":"severe"
               },
               {
                  "source":"osvdb",
                  "reference":"73797",
                  "severity":4.4,
                  "url":"http://osvdb.org/73797",
                  "threatCategory":"severe"
               },
               {
                  "source":"osvdb",
                  "reference":"73798",
                  "severity":4.4,
                  "url":"http://osvdb.org/73798",
                  "threatCategory":"severe"
               },
               {
                  "source":"osvdb",
                  "reference":"78573",
                  "severity":5.0,
                  "url":"http://osvdb.org/78573",
                  "threatCategory":"severe"
               }
            ]
         },
         "projectData" : {
            "firstReleaseDate" : "2008-01-24T03:19:17.000-07:00",
            "lastReleaseDate" : "2008-01-24T03:19:17.000-07:00",
            "projectMetadata" : {
               "description" : "The Apache Software Foundation provides support for the Apache community of open-source software projects.\n    The Apache projects are characterized by a collaborative, consensus based development process, an open and\n    pragmatic software license, and a desire to create high quality software that leads the way in its field.\n    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers\n    and users.",
               "organization" : "The Apache Software Foundation"
            },
            "sourceControlManagement" : {
               "scmUrl" : "https://svn.apache.org/repos/asf/maven/pom/tags/apache-4/tomcat-parent/tomcat-util"
            }
         }
      }
   ]
}