SPDX REST API - v2

NEW IN RELEASE 165

The SPDX REST API - v2 returns an SPDX SBOM document (in both XML and JSON formats) containing coordinates, licenses, and dependencies for components in an IQ Server-generated application scan report. This REST API supports all component formats.

Methods supported:

  1.  GET 

To use SPDX REST API - v2, first retrieve the internal application ID and then pass it as an input parameter.

Step 1:  Get the internal application ID 

Use the Application REST API - v2 with the application’s public ID to retrieve the internal application ID for the application you need to generate the SBOM.

GET /api/v2/applications?publicId={YourPublicId}

Step 2: Generate the SBOM 

Use the internal application ID from step 1 to generate the SPDX BOM document

GET /api/v2/spdx/{applicationInternalId}/reports/{scanId}

scanId corresponds to the application scan for which an IQ Server report was created.

This API can also retrieve the SBOM based on the latest application evaluation stage, by specifying the stageId in the GET method. 

GET /api/v2/spdx/{applicationInternalId}/stages/{stageId}

Possible values for stageId are build , stage-release , release operate.

Optional Query Parameters

Both the endpoints above support these optional query parameters:

Query ParameterDescriptionAccepted ValuesDefault Value
formatSPDX SBOM file formatjson, xmljson
spdxVersionSPDX SBOM specification version (planned support for future versions)2.32.3
generateCycloneDxIf set to "true" the SPDX SBOM file and its CycloneDx SBOM equivalent will be returned together as a tar.gz archivetrue, falsefalse

Example to generate a SPDX SBOM file in XML format

curl -u admin:admin123 -X GET
http://localhost:8070/api/v2/spdx/b7b2b2cc9c864ea59eb7fa0fb1d7f9ff/reports/bfdb562fad2443e593357b67eb4095e7?format=xml

Example to generate both SPDX and CycloneDx SBOM files as a tar.gz file, in JSON format

curl -u admin:admin123 -O -J -X GET
http://localhost:8070/api/v2/spdx/b7b2b2cc9c864ea59eb7fa0fb1d7f9ff/reports/bfdb562fad2443e593357b67eb4095e7?format=json&generateCycloneDx=true

Response

A file with the filename format {applicationPublicId}-{stage}-{scanId}.spdx.[xml|json] will be created, if you have used the curl command with options -O -J (see example above.)


{
    "SPDXID": "SPDXRef-DOCUMENT",
    "spdxVersion": "SPDX-2.3",
    "creationInfo": {
        "created": "2023-07-05T15:19:44Z",
        "creators": [
            "Tool: Sonatype IQ Server - 1.165.0-01"
        ]
    },
    "documentNamespace": "http://localhost:8070/ui/links/application/local-iq-app/report/d6ffc430f2594d2480c7af837eb2a5b6",
    "packages": [
        {
            "SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "(AGPL-3.0 AND MIT)",
            "licenseDeclared": "Apache-2.0",
            "name": "com.fasterxml.jackson.core:jackson-annotations",
            "versionInfo": "2.14.0"
        },
        {
            "SPDXID": "SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/com.sonatype.testing/pr-comment-02@1.0-SNAPSHOT?type=jar",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "(Not-Declared AND No-Sources)",
            "licenseDeclared": "(Not-Declared AND No-Sources)",
            "name": "com.sonatype.testing:pr-comment-02",
            "versionInfo": "1.0-SNAPSHOT"
        },
        {
            "SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar",
                    "referenceType": "purl"
                },
                {
                    "comment": "source: NVD",
                    "referenceCategory": "SECURITY",
                    "referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105",
                    "referenceType": "advisory"
                },
                {
                    "comment": "source: NVD",
                    "referenceCategory": "SECURITY",
                    "referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832",
                    "referenceType": "advisory"
                },
                {
                    "comment": "source: NVD",
                    "referenceCategory": "SECURITY",
                    "referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228",
                    "referenceType": "advisory"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "Apache-2.0",
            "licenseDeclared": "Apache-2.0",
            "name": "org.apache.logging.log4j:log4j-core",
            "versionInfo": "2.16.0"
        },
        {
            "SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar",
                    "referenceType": "purl"
                },
                {
                    "comment": "source: SONATYPE",
                    "referenceCategory": "SECURITY",
                    "referenceLocator": "http://localhost:8070/ui/links/vln/sonatype-2022-6438",
                    "referenceType": "advisory"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "(Apache-2.0 AND MIT)",
            "licenseDeclared": "(Apache-2.0 AND MIT)",
            "name": "com.fasterxml.jackson.core:jackson-core",
            "versionInfo": "2.14.0"
        },
        {
            "SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "Apache-2.0",
            "licenseDeclared": "Apache-2.0",
            "name": "org.apache.logging.log4j:log4j-api",
            "versionInfo": "2.16.0"
        },
        {
            "SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "licenseConcluded": "Apache-2.0",
            "licenseDeclared": "Apache-2.0",
            "name": "com.fasterxml.jackson.core:jackson-databind",
            "versionInfo": "2.14.0"
        }
    ],
    "relationships": [
        {
            "spdxElementId": "SPDXRef-DOCUMENT",
            "relationshipType": "DESCRIBES",
            "relatedSpdxElement": "SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT"
        },
        {
            "spdxElementId": "SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0"
        },
        {
            "spdxElementId": "SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0"
        },
        {
            "spdxElementId": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0"
        },
        {
            "spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0"
        },
        {
            "spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
            "relationshipType": "DEPENDS_ON",
            "relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0"
        }
    ]
}
<?xml version='1.0' encoding='UTF-8'?>
<Document>
    <SPDXID>SPDXRef-DOCUMENT</SPDXID>
    <spdxVersion>SPDX-2.3</spdxVersion>
    <creationInfo>
        <created>2023-07-05T15:22:50Z</created>
        <creators>Tool: Sonatype IQ Server - 1.165.0-01</creators>
    </creationInfo>
    <documentNamespace>http://localhost:8070/ui/links/application/local-iq-app/report/d6ffc430f2594d2480c7af837eb2a5b6</documentNamespace>
    <packages>
        <SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</SPDXID>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>(AGPL-3.0 AND MIT)</licenseConcluded>
        <licenseDeclared>Apache-2.0</licenseDeclared>
        <name>com.fasterxml.jackson.core:jackson-annotations</name>
        <versionInfo>2.14.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT</SPDXID>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/com.sonatype.testing/pr-comment-02@1.0-SNAPSHOT?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>(Not-Declared AND No-Sources)</licenseConcluded>
        <licenseDeclared>(Not-Declared AND No-Sources)</licenseDeclared>
        <name>com.sonatype.testing:pr-comment-02</name>
        <versionInfo>1.0-SNAPSHOT</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</SPDXID>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <externalRefs>
            <comment>source: NVD</comment>
            <referenceCategory>SECURITY</referenceCategory>
            <referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105</referenceLocator>
            <referenceType>advisory</referenceType>
        </externalRefs>
        <externalRefs>
            <comment>source: NVD</comment>
            <referenceCategory>SECURITY</referenceCategory>
            <referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832</referenceLocator>
            <referenceType>advisory</referenceType>
        </externalRefs>
        <externalRefs>
            <comment>source: NVD</comment>
            <referenceCategory>SECURITY</referenceCategory>
            <referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228</referenceLocator>
            <referenceType>advisory</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>Apache-2.0</licenseConcluded>
        <licenseDeclared>Apache-2.0</licenseDeclared>
        <name>org.apache.logging.log4j:log4j-core</name>
        <versionInfo>2.16.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</SPDXID>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <externalRefs>
            <comment>source: SONATYPE</comment>
            <referenceCategory>SECURITY</referenceCategory>
            <referenceLocator>http://localhost:8070/ui/links/vln/sonatype-2022-6438</referenceLocator>
            <referenceType>advisory</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>(Apache-2.0 AND MIT)</licenseConcluded>
        <licenseDeclared>(Apache-2.0 AND MIT)</licenseDeclared>
        <name>com.fasterxml.jackson.core:jackson-core</name>
        <versionInfo>2.14.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</SPDXID>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>Apache-2.0</licenseConcluded>
        <licenseDeclared>Apache-2.0</licenseDeclared>
        <name>org.apache.logging.log4j:log4j-api</name>
        <versionInfo>2.16.0</versionInfo>
    </packages>
    <packages>
        <SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</SPDXID>
        <externalRefs>
            <referenceCategory>PACKAGE-MANAGER</referenceCategory>
            <referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar</referenceLocator>
            <referenceType>purl</referenceType>
        </externalRefs>
        <filesAnalyzed>false</filesAnalyzed>
        <licenseConcluded>Apache-2.0</licenseConcluded>
        <licenseDeclared>Apache-2.0</licenseDeclared>
        <name>com.fasterxml.jackson.core:jackson-databind</name>
        <versionInfo>2.14.0</versionInfo>
    </packages>
    <relationships>
        <spdxElementId>SPDXRef-DOCUMENT</spdxElementId>
        <relationshipType>DESCRIBES</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-maven-com.sonatype.testing-pr-comment-02-1.0-SNAPSHOT</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</relatedSpdxElement>
    </relationships>
    <relationships>
        <spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
        <relationshipType>DEPENDS_ON</relationshipType>
        <relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</relatedSpdxElement>
    </relationships>
</Document>