CycloneDx REST API - v2

CycloneDX is a vendor agnostic, language/ecosystem independent specification for defining software components.

IQ Server CycloneDX API returns a CycloneDX SBOM document containing the components with its coordinates and licenses related to a scan report. This API method is available via a GET resource.

Step 1 - Get the Application ID

First, you will use the application’s public ID to retrieve the internal application ID. This is done using the following GET REST resource from our application API.

GET /api/v2/applications?publicId={YourPublicId}

Step 2 - Get SBOM XML

There are two ways to call the resource:

  • By report id: 


GET /api/v2/cycloneDx/{applicationInternalId}/reports/{reportId}


  • By stage id:

The possible values for the stage id are:

  • build
  • stage-release
  • release
  • operate

When requesting by stage id, the result is from the latest application evaluation in that stage.

GET /api/v2/cycloneDx/{applicationInternalId}/stages/{stageId}

Response

You will receive a response containing a XML bom, you will see something like the following.

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.1" serialNumber="a6cba7fe0559450fb70251a80709021b" version="1">
    <components>
        <component type="library">
            <group>org.apache.tomcat</group>
            <name>tomcat-catalina</name>
            <version>9.0.14</version>
            <scope>required</scope>
            <hashes>
                <hash alg="SHA-1">af008de6e523b6eeb5e8</hash>
            </hashes>
            <licenses>
                <license>
                    <id>Apache-2.0</id>
                </license>
            </licenses>
            <purl>pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?type=jar</purl>
        </component>
        <component type="library">
            <name>Microsoft.AspNetCore.Http.Features</name>
            <version>3.1.3</version>
            <scope>required</scope>
            <hashes>
                <hash alg="SHA-1">1c82fd7494c626d1d009</hash>
            </hashes>
            <licenses>
                <license>
                    <id>Apache-2.0</id>
                </license>
                <license>
                    <id>Not-Supported</id>
                </license>
            </licenses>
            <purl>pkg:nuget/Microsoft.AspNetCore.Http.Features@3.1.3</purl>
        </component>
    </components>
    <externalReferences>
        <reference type="bom">
            <url>http://localhost:8070/ui/links/application/app/report/a6cba7fe0559450fb70251a80709021b</url>
            <comment>http://localhost:8070/ui/links/application/app/report/a6cba7fe0559450fb70251a80709021b</comment>
        </reference>
    </externalReferences>
</bom>