Subject: How to create an SBOM report on a build using the REST API command
Affected Versions: Xray 3.40.x and above
Description
Starting Xray 3.40.x, Xray can generate a Software Bills of Materials (SBOM) report. Please refer to the JFrog Confluence page for more information: https://www.jfrog.com/confluence/display/JFROG/Xray+SBOM+Report#XraySBOMReport-ExportSBOMData
While you can easily download an SBOM report through the UI, you can use the following REST API command as well to get an SBOM report.
In order to create an SBOM report for a build, you can pass the “build name”, “build number” as the component name, and “build” as the package type.
This will allow you to download a zip file containing the following reports,
Affected Versions: Xray 3.40.x and above
Description
Starting Xray 3.40.x, Xray can generate a Software Bills of Materials (SBOM) report. Please refer to the JFrog Confluence page for more information: https://www.jfrog.com/confluence/display/JFROG/Xray+SBOM+Report#XraySBOMReport-ExportSBOMData
While you can easily download an SBOM report through the UI, you can use the following REST API command as well to get an SBOM report.
curl -XPOST "http://<ARTIFACTORY>/xray/api/v1/component/exportDetails" \ -H "Content-type: application/json" \ -d '{"violations":true, "include_ignored_violations": true, "license": true, "security": true, "exclude_unknown": true, "spdx": true, "spdx_format": "json", "component_name": "<PACKAGE_NAME>:<VERSION>", "package_type":"<PACKAGE_TYPE>", "sha_256":"<SHA_256>", "output_format":"json"}' -u<USER> --output report.zip
In order to create an SBOM report for a build, you can pass the “build name”, “build number” as the component name, and “build” as the package type.
curl -XPOST "http://<ARTIFACTORY>/xray/api/v1/component/exportDetails" \ -H "Content-type: application/json" \ -d '{"violations":true, "include_ignored_violations": true, "license": true, "security": true, "exclude_unknown": true, "spdx": true, "spdx_format": "json", "component_name": "<BUILD_NAME>:<BUILD_NUMBER>", "package_type":"build", "sha_256":"<SHA_256>", "output_format":"json"}' -u<USER> --output report.zip
This will allow you to download a zip file containing the following reports,
Build_maven-pipeline-10_Violations_Export.json Build_maven-pipeline-10_License_Export.json Build_maven-pipeline-10_SBOM_Export_SPDX.json Build_maven-pipeline-10_Security_Export.json