XRAY: How to create an SBOM report on a build using the REST API command

XRAY: How to create an SBOM report on a build using the REST API command

AuthorFullName__c
Ino Choi
articleNumber
000005587
ft:sourceType
Salesforce
FirstPublishedDate
2023-02-26T09:12:05Z
lastModifiedDate
2023-02-26
VersionNumber
1
Subject: How to create an SBOM report on a build using the REST API command

Affected Versions: Xray 3.40.x and above

Description

Starting Xray 3.40.x, Xray can generate a Software Bills of Materials (SBOM) report. Please refer to the JFrog Confluence page for more information: https://www.jfrog.com/confluence/display/JFROG/Xray+SBOM+Report#XraySBOMReport-ExportSBOMData

While you can easily download an SBOM report through the UI, you can use the following REST API command as well to get an SBOM report.
curl -XPOST "http://<ARTIFACTORY>/xray/api/v1/component/exportDetails" \
-H "Content-type: application/json" \
-d '{"violations":true, "include_ignored_violations": true, "license": true, "security": true, "exclude_unknown": true, "spdx": true, "spdx_format": "json", "component_name": "<PACKAGE_NAME>:<VERSION>", "package_type":"<PACKAGE_TYPE>", "sha_256":"<SHA_256>", "output_format":"json"}' -u<USER> --output report.zip

In order to create an SBOM report for a build, you can pass the “build name”, “build number” as the component name, and “build” as the package type.
curl -XPOST "http://<ARTIFACTORY>/xray/api/v1/component/exportDetails" \
-H "Content-type: application/json" \
-d '{"violations":true, "include_ignored_violations": true, "license": true, "security": true, "exclude_unknown": true, "spdx": true, "spdx_format": "json", "component_name": "<BUILD_NAME>:<BUILD_NUMBER>", "package_type":"build", "sha_256":"<SHA_256>", "output_format":"json"}' -u<USER> --output report.zip

This will allow you to download a zip file containing the following reports,
Build_maven-pipeline-10_Violations_Export.json
Build_maven-pipeline-10_License_Export.json
Build_maven-pipeline-10_SBOM_Export_SPDX.json
Build_maven-pipeline-10_Security_Export.json