Third-Party Scan REST API - v2
Third-Party Scan REST API allows for single, or multiple components, to be scanned against a specific application and associated policies, generating an Application Composition Report.
Some possible use cases:
- Program analysis has already identified the data. The data will go through the policy engine and be shown in an Application Composition Report.
- Sonatype IQ Server performs the program analysis and identifies the data. Then goes through the policy engine and shows an Application Composition Report.
User Permissions Required to Invoke this API call
- Evaluate Applications
Methods supported
- POST - to submit a list of components, allows to submit a list of components in CycloneDX or SPDX format, to evaluate policies against an existing IQ application.
- GET - to get the result of the components submitted with POST.
Using this API
Step 1 - Get the Application ID
Select the application for which you want to evaluate your component. Copy the application ID located under the application name in Lifecycle UI. This is {YourPublicId}.
Retrieve the internal application ID using GET:
GET /api/v2/applications?publicId={YourPublicId}Using the cURL command:
curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/applications?publicId=MyApplicationID'
Response
The response contains value for the internal application ID, e.g. "id": "9beee80c6fc148dfa51e8b0359ee4d4e"
{
"applications": [
{
"id": "4537e6fe68c24dd5ac83efd97d4fc2f4",
"publicId": "MyApplicationID",
"name": "MyApplication",
"organizationId": "bb41817bd3e2403a8a52fe8bcd8fe25a",
"contactUserName": "NewAppContact",
"applicationTags": [
{
"id": "9beee80c6fc148dfa51e8b0359ee4d4e",
"tagId": "cfea8fa79df64283bd64e5b6b624ba48",
"applicationId": "4bb67dcfc86344e3a483832f8c496419"
}
]
}
]
}Step 2 - Submit SBOM for evaluation
The API allows valid SBOM files (see the Supported versions and Compatibility section below) to be evaluated against IQ server policies. Refer to CycloneDX and SPDX for more information.
Use the POST request to submit the SBOM for evaluation as below:
POST /api/v2/scan/applications/{applicationInternalId}/sources/{source}?stageId={stageId}stageId param is optional, default value is build. Other allowed values include: develop, stage-release, release, and operate.
source is used to specify the source of the SBOM file or the tool used to create the SBOM.
Added to this will be a CycloneDX SBOM XML formatted body where {version} is 1.4 :
<bom xmlns="http://cyclonedx.org/schema/bom/{version}" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
<components>
<component type="library">
<publisher>Apache</publisher>
<group>org.apache.tomcat</group>
<name>tomcat-catalina</name>
<version>9.0.14</version>
<purl>pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?type=jar</purl>
</component>
</components>
</bom>Supported versions and Compatibility
CycloneDX
| IQ Release | BOM Specification | Vulnerability Specification | Supported Formats |
|---|---|---|---|
| 77 | 1.1 | XML | |
| 78 | 1.0 | XML | |
| 81 | license element support | XML | |
| 114 | 1.2 | 1.0 | XML |
| 117 | 1.3 | 1.0 | XML |
| 134 | 1.4 | XML + JSON |
Support for CycloneDX vulnerability schema 1.0 XML extension is deprecated with BOM specification 1.4, and you must use the vulnerabilities type included with version 1.4. (You could however still use it with previous BOM specification versions)
NEW IN RELEASE 166 SPDX
| IQ Release | BOM Specification | Supported Formats |
|---|---|---|
| 166 | 2.3 | XML + JSON |
Examples of Valid SBOM Payload
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
<metadata>
<component type="application" bom-ref="acme-app">
<name>Acme Application</name>
<version>9.1.1</version>
</component>
</metadata>
<components>
<component type="library">
<name>acme-library</name>
<version>1.0.0</version>
<hashes>
<hash alg="SHA-1">9188560f22e0b73070d2efce670c74af2bdf30af</hash>
<hash alg="SHA-256">d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964</hash>
</hashes>
<cpe>cpe:/a:acme:application:9.1.1</cpe>
</component>
<component type="library">
<group>com.fasterxml.jackson.core</group>
<name>jackson-databind</name>
<version>2.8.0</version>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<purl>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar</purl>
</component>
</components>
<vulnerabilities>
<vulnerability>
<id>CVE-2018-7489</id>
<source>
<name>NVD</name>
<url>https://nvd.nist.gov/vuln/detail/CVE-2019-9997</url>
</source>
<ratings>
<rating>
<source>
<name>NVD</name>
<url>https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0</url>
</source>
<score>9.8</score>
<severity>critical</severity>
<method>CVSSv3</method>
<vector>AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</vector>
</rating>
</ratings>
<cwes>
<cwe>184</cwe>
<cwe>502</cwe>
</cwes>
<description>FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.</description>
<recommendation>Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.</recommendation>
<advisories>
<advisory>
<title>GitHub Commit</title>
<url>https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2</url>
</advisory>
</advisories>
<created>2021-01-01T00:00:00.000Z</created>
<published>2021-01-01T00:00:00.000Z</published>
<updated>2021-01-01T00:00:00.000Z</updated>
<analysis>
<state>not_affected</state>
<justification>code_not_reachable</justification>
<responses>
<response>will_not_fix</response>
<response>update</response>
</responses>
<detail>An optional explanation of why the application is not affected by the vulnerable component.</detail>
</analysis>
<affects>
<target>
<ref>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar</ref>
</target>
</affects>
</vulnerability>
</vulnerabilities>
<dependencies>
<dependency ref="acme-app">
<dependency ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar" />
<dependency ref="pkg:maven/org.acme/persistence@3.1.0?type=jar" />
</dependency>
<dependency ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar">
<dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar" />
</dependency>
<dependency ref="pkg:maven/org.acme/persistence@3.1.0?type=jar">
<dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar" />
</dependency>
<dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar" />
</dependencies>
</bom>{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"metadata": {
"timestamp": "2022-02-21T17:20:41Z",
"component": {
"name": "Acme Application",
"version": "9.1.1",
"type": "application",
"bom-ref": "acme-app"
}
},
"components": [
{
"name": "acme-library",
"version": "1.0.0",
"hashes": [
{
"alg": "SHA-1",
"content": "9188560f22e0b73070d2efce670c74af2bdf30af"
},
{
"alg": "SHA-256",
"content": "d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964"
}
],
"cpe": "cpe:/a:acme:application:9.1.1",
"type": "library"
},
{
"group": "com.fasterxml.jackson.core",
"name": "jackson-databind",
"version": "2.8.0",
"licenses": [
{
"license": {
"id": "Apache-2.0"
}
}
],
"purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar",
"type": "library"
}
],
"dependencies": [
{
"ref": "acme-app",
"dependsOn": [
"pkg:maven/org.acme/web-framework@1.0.0?type=jar",
"pkg:maven/org.acme/persistence@3.1.0?type=jar"
]
},
{
"ref": "pkg:maven/org.acme/web-framework@1.0.0?type=jar",
"dependsOn": [
"pkg:maven/org.acme/common-util@3.0.0?type=jar"
]
},
{
"ref": "pkg:maven/org.acme/persistence@3.1.0?type=jar",
"dependsOn": [
"pkg:maven/org.acme/common-util@3.0.0?type=jar"
]
},
{
"ref": "pkg:maven/org.acme/common-util@3.0.0?type=jar",
"dependsOn": []
}
],
"vulnerabilities": [
{
"id": "CVE-2018-7489",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0"
},
"score": 9.8,
"severity": "critical",
"method": "CVSSv3",
"vector": "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
184,
502
],
"description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
"recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.",
"advisories": [
{
"title": "GitHub Commit",
"url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2"
}
],
"created": "2021-01-01T00:00:00Z",
"published": "2021-01-01T00:00:00Z",
"updated": "2021-01-01T00:00:00Z",
"analysis": {
"state": "not_affected",
"justification": "code_not_reachable",
"response": [
"will_not_fix",
"update"
],
"detail": "An optional explanation of why the application is not affected by the vulnerable component."
},
"affects": [
{
"ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar"
}
]
}
]
}<?xml version='1.0' encoding='UTF-8'?>
<Document>
<SPDXID>SPDXRef-DOCUMENT</SPDXID>
<spdxVersion>SPDX-2.3</spdxVersion>
<creationInfo>
<created>2023-08-21T16:49:07Z</created>
<creators>Tool: Sonatype IQ Server - 1.166.0</creators>
</creationInfo>
<name>pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b</name>
<dataLicense>CC0-1.0</dataLicense>
<hasExtractedLicensingInfos>
<licenseId>LicenseRef-No-Sources</licenseId>
<extractedText>No-Sources</extractedText>
</hasExtractedLicensingInfos>
<hasExtractedLicensingInfos>
<licenseId>LicenseRef-Not-Declared</licenseId>
<extractedText>Not-Declared</extractedText>
</hasExtractedLicensingInfos>
<documentNamespace>http://localhost:8070/ui/links/application/test-app-01/report/ea08930a666041bbbee8c9f6c0e7951b</documentNamespace>
<packages>
<SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>org.apache.logging.log4j:log4j-api</name>
<versionInfo>2.16.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<externalRefs>
<comment>source: SONATYPE</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://localhost:8070/ui/links/vln/sonatype-2022-6438</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>(Apache-2.0 AND MIT)</licenseConcluded>
<licenseDeclared>(Apache-2.0 AND MIT)</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-core</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-databind</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<externalRefs>
<comment>source: NVD</comment>
<referenceCategory>SECURITY</referenceCategory>
<referenceLocator>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228</referenceLocator>
<referenceType>advisory</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>org.apache.logging.log4j:log4j-core</name>
<versionInfo>2.16.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>Apache-2.0</licenseConcluded>
<licenseDeclared>Apache-2.0</licenseDeclared>
<name>com.fasterxml.jackson.core:jackson-annotations</name>
<versionInfo>2.14.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-maven-com.sonatype.testing-test-app-1.0.0</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:maven/com.sonatype.testing/test-app@1.0.0?type=jar</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>(LicenseRef-No-Sources AND LicenseRef-Not-Declared)</licenseConcluded>
<licenseDeclared>(LicenseRef-No-Sources AND LicenseRef-Not-Declared)</licenseDeclared>
<name>com.sonatype.testing:test-app</name>
<versionInfo>1.0.0</versionInfo>
</packages>
<packages>
<SPDXID>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</SPDXID>
<downloadLocation>NOASSERTION</downloadLocation>
<externalRefs>
<referenceCategory>PACKAGE-MANAGER</referenceCategory>
<referenceLocator>pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b</referenceLocator>
<referenceType>purl</referenceType>
</externalRefs>
<filesAnalyzed>false</filesAnalyzed>
<licenseConcluded>NOASSERTION</licenseConcluded>
<licenseDeclared>NOASSERTION</licenseDeclared>
<name>sonatype:iq_application_Test App 01</name>
<versionInfo>ea08930a666041bbbee8c9f6c0e7951b</versionInfo>
</packages>
<relationships>
<spdxElementId>SPDXRef-DOCUMENT</spdxElementId>
<relationshipType>DESCRIBES</relationshipType>
<relatedSpdxElement>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0</relatedSpdxElement>
</relationships>
<relationships>
<spdxElementId>SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b</spdxElementId>
<relationshipType>DEPENDS_ON</relationshipType>
<relatedSpdxElement>SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0</relatedSpdxElement>
</relationships>
</Document>{
"SPDXID": "SPDXRef-DOCUMENT",
"spdxVersion": "SPDX-2.3",
"creationInfo": {
"created": "2023-08-21T16:46:39Z",
"creators": [
"Tool: Sonatype IQ Server - 1.166.0"
]
},
"name": "pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b",
"dataLicense": "CC0-1.0",
"hasExtractedLicensingInfos": [
{
"licenseId": "LicenseRef-No-Sources",
"extractedText": "No-Sources"
},
{
"licenseId": "LicenseRef-Not-Declared",
"extractedText": "Not-Declared"
}
],
"documentNamespace": "http://localhost:8070/ui/links/application/test-app-01/report/ea08930a666041bbbee8c9f6c0e7951b",
"packages": [
{
"SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "org.apache.logging.log4j:log4j-api",
"versionInfo": "2.16.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.0?type=jar",
"referenceType": "purl"
},
{
"comment": "source: SONATYPE",
"referenceCategory": "SECURITY",
"referenceLocator": "http://localhost:8070/ui/links/vln/sonatype-2022-6438",
"referenceType": "advisory"
}
],
"filesAnalyzed": false,
"licenseConcluded": "(Apache-2.0 AND MIT)",
"licenseDeclared": "(Apache-2.0 AND MIT)",
"name": "com.fasterxml.jackson.core:jackson-core",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "com.fasterxml.jackson.core:jackson-databind",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105",
"referenceType": "advisory"
},
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832",
"referenceType": "advisory"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-core@2.16.0?type=jar",
"referenceType": "purl"
},
{
"comment": "source: NVD",
"referenceCategory": "SECURITY",
"referenceLocator": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228",
"referenceType": "advisory"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "org.apache.logging.log4j:log4j-core",
"versionInfo": "2.16.0"
},
{
"SPDXID": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.14.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"name": "com.fasterxml.jackson.core:jackson-annotations",
"versionInfo": "2.14.0"
},
{
"SPDXID": "SPDXRef-maven-com.sonatype.testing-test-app-1.0.0",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/com.sonatype.testing/test-app@1.0.0?type=jar",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "(LicenseRef-No-Sources AND LicenseRef-Not-Declared)",
"licenseDeclared": "(LicenseRef-No-Sources AND LicenseRef-Not-Declared)",
"name": "com.sonatype.testing:test-app",
"versionInfo": "1.0.0"
},
{
"SPDXID": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:generic/sonatype/iq_application_Test%20App%2001@ea08930a666041bbbee8c9f6c0e7951b",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"name": "sonatype:iq_application_Test App 01",
"versionInfo": "ea08930a666041bbbee8c9f6c0e7951b"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b"
},
{
"spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-core-2.14.0"
},
{
"spdxElementId": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-annotations-2.14.0"
},
{
"spdxElementId": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-api-2.16.0"
},
{
"spdxElementId": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-org.apache.logging.log4j-log4j-core-2.16.0"
},
{
"spdxElementId": "SPDXRef-generic-sonatype-iq-application-Test-App-01-ea08930a666041bbbee8c9f6c0e7951b",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0"
}
]
}Note: In the unlikely case of the same component being found more than once in the BOM, only the data of the first component will be processed/shown.
When package-URL is Not Available
- A component can be specified using the coordinates tags:
- <name> : mandatory (even when <purl> is set)
- <version> : mandatory (even when <purl> is set)
- <group>: optional
- <publisher>: optional
In addition, each component can include licenses data as shown in the example below.
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
<components>
<component type="library">
<publisher>Apache</publisher>
<group>org.apache.tomcat</group>
<name>tomcat-catalina</name>
<version>9.0.14</version>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<purl>pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?type=jar</purl>
</component>
</components>
</bom>2. A component can be specified using its content hash (SHA-1) along with its < name> and <version> :
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4"> <components> <component type="library"> <name>tomcat-catalina</name> <version>9.0.16</version> <hashes> <hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash> </hashes> </component> </components> </bom>
Together, this should look like this:
curl -u admin:admin123 -X POST -H "Content-Type: application/xml" -d '<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"> <components> <component type="library"> <publisher>Apache</publisher> <group>org.apache.tomcat</group> <name>tomcat-catalina</name> <version>9.0.14</version> <purl>pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?type=jar</purl> </component> </components> </bom>' 'http://localhost:8070/api/v2/scan/applications/4537e6fe68c24dd5ac83efd97d4fc2f4/sources/cyclone'
Response
A successful POST will result in JSON formatted data providing a confirmation that the evaluation was submitted.
{
"statusUrl": "api/v2/scan/applications/a20bc16e83944595a94c2e36c1cd228e/status/9cee2b6366fc4d328edc318eae46b2cb"
}Step 3 - Checking Status URL to get scan result
Use the statusUrl from the response of step 2 above, to check the status of the scan, using the GET:
GET /api/v2/scan/applications/{applicationInternalId}/status/{statusId}Using the cURL command:
curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/scan/applications/a20bc16e83944595a94c2e36c1cd228e/status/9cee2b6366fc4d328edc318eae46b2cb'
Response
A successful GET will result in JSON response object containing scan results.
- Response w hen the scan report is ready:
{
"policyAction": "None",
"reportHtmlUrl": "http://localhost:8070/ui/links/application/my-app/report/95c4c14e",
"isError": false,
"componentsAffected": {
"critical": 0,
"severe": 0,
"moderate": 0
},
"openPolicyViolations": {
"critical": 0,
"severe": 0,
"moderate": 0
},
"grandfatheredPolicyViolations": 0
}2. Response when the scan report is ready, showing policy actions (available policy actions are None, Warning, and Failure):
{
"policyAction": "Failure",
"reportHtmlUrl": "http://localhost:8070/ui/links/application/my-app/report/95c4c14e",
"isError": false,
"componentsAffected": {
"critical": 1,
"severe": 0,
"moderate": 0
},
"openPolicyViolations": {
"critical": 2,
"severe": 1,
"moderate": 0
},
"grandfatheredPolicyViolations": 0
}3. When the scan/report is not ready yet, this message is returned with HTTP Status 404:
Report with status id a20bc16e83944595a94c2e36c1cd228e for application with id a20bc16e83944595a94c2e36c1cd228e is not ready.
4. When the scan does not exist in IQ Server, this message is returned with HTTP Status 404:
Policy evaluation status with id a20bc16e83944595a94c2e36c1cd228e for public application id cyclone was not found.
5. When there is an error while doing the scan:
{
"isError": true,
"errorMessage": “Unable to evaluate policy, the scan 123456783944595a94c2e36c1cd228e could not be processed.”
}6. Response with additional report URLs (pdf, raw, embeddable). All report URLs are relative URLs.
{
"policyAction": "Failure",
"reportHtmlUrl": "ui/links/application/my-app/report/95c4c14e",
"reportPdfUrl": "ui/links/application/my-app/report/95c4c14e/pdf",
"reportDataUrl": "api/v2/applications/my-app/reports/95c4c14e/raw",
"embeddableReportHtmlUrl": "ui/links/application/my-app/report/95c4c14e/embeddable"
"isError": false,
"componentsAffected": {
"critical": 1,
"severe": 0,
"moderate": 0
},
"openPolicyViolations": {
"critical": 2,
"severe": 1,
"moderate": 0
},
"grandfatheredPolicyViolations": 0
}7. Response when CycloneDX SBOM includes dependency graph along with the parent component data in the metadata element, includes dependency information and InnerSource insight data:
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1"> <metadata> <component type="application" bom-ref="acme-app"> <name>Acme Application</name> <version>9.1.1</version> <purl>pkg:maven/org.acme/acme-app@9.1.1?type=jar</purl> </component> </metadata> <components> <component type="framework" bom-ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar"> <group>org.acme</group> <name>web-framework</name> <version>1.0.0</version> <purl>pkg:maven/org.acme/web-framework@1.0.0?type=jar</purl> </component> <component type="library" bom-ref="pkg:maven/org.acme/persistence@3.1.0?type=jar"> <group>org.acme</group> <name>persistence</name> <version>3.1.0</version> <purl>pkg:maven/org.acme/persistence@3.1.0?type=jar</purl> </component> <component type="library" bom-ref="pkg:maven/org.acme/common-util@3.0.0?type=jar"> <group>org.acme</group> <name>common-util</name> <version>3.0.0</version> <purl>pkg:maven/org.acme/common-util@3.0.0?type=jar</purl> </component> </components> <dependencies> <dependency ref="acme-app"> <dependency ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar"/> <dependency ref="pkg:maven/org.acme/persistence@3.1.0?type=jar"/> </dependency> <dependency ref="pkg:maven/org.acme/web-framework@1.0.0?type=jar"> <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar"/> </dependency> <dependency ref="pkg:maven/org.acme/persistence@3.1.0?type=jar"> <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar"/> </dependency> <dependency ref="pkg:maven/org.acme/common-util@3.0.0?type=jar"/> </dependencies> </bom>