Export Component Details V2

Xray REST APIs
Products
JFrog Xray
Content Type
REST API

Description: Export component scan results, SPDX SBOM doc or CycloneDX SBOM doc.

Note: The output is in a .zip format.

Starting with Xray version 3.112.x and above, this API supports passing an array of objects instead of a single JSON. This allows you to generate SBOM reports for multiple artifacts at a time and the aggregated reports will be returned in a “multiple_components_report.zip” file. An example request is provided in the examples below.

Security: Requires a valid user with the "Read" permission.

Usage: POST /xray/api/v2/component/exportDetails

Consumes: application/json

Produces: application/octet-stream

Request body:

Name

Type

Required/Optional

Description

component_name

string

required

Name of the component e.g image:tag

package_type

string

required

Type of the package. Acceptable values:

build, releaseBundle, releaseBundleV2, alpine, nuget, docker, npm, rpm, debian, go, pypi, conan, terraform, cran, maven, huggingfaceml, huggingface, cargo, conda, composer, npm, npm

path

string

required

path (Artifactory path) to the component

For Builds, the path should be as follows:

"path": "builds/<build-name>"

Scan results export options:

violations

boolean

optional

Include violations in the export

include_ignored_violations

boolean

optional

Include ignored violations in the export

license

boolean

optional

Include license information in the export

exclude_unknown

boolean

optional

Exclude components with unknown licenses from the export

vulnerabilities

boolean

optional

Include security vulnerabilities information in the export

operational_risk

boolean

optional

Include operational risk information in the export

secrets

boolean

optional

Include information about secrets in the export

services

boolean

optional

Include information about services in the export

applications

boolean

optional

Include information about applications in the export

iac

boolean

optional

Include information about Infrastructure as Code (IaC)

output_format

string

required

Output format of the exported scan results. Acceptable values:

pdf, csv, json - returns multiple files of the corresponding results in the requested format packed in a ZIP file.

json_full - returns all the results in a single json.

Note: SPDX and CycloneDX formats are set by their corresponding properties below.

SPDX SBOM doc export options:

spdx

boolean

optional

Generate SPDX format in the export

spdx_format

string

optional

Format of the SPDX output.

Acceptable values: json, tag:value, xlsx

CycloneDX SBOM doc export options:

cyclonedx

boolean

optional

Generate CycloneDX format in the export

cyclonedx_format

string

optional

Format of the CycloneDX output.

Acceptable values: json, xml

vex

boolean

optional

Include VEX in CycloneDX exported doc.

license_resolution

boolean

optional

License Conclusion

Sample Request exporting the scan results :

{
  "package_type": "docker",
  "component_name": "ics:latest",
  "path": "my-dockers/ics/latest/manifest.json",

  "violations": true,
  "include_ignored_violations": true,
  "license": true,
  "exclude_unknown": false,
  "operational_risk": true,
  "security": true,
  "secrets": true,
  "services": true,
  "applications": true,
  "output_format": "pdf"
}

Sample Request - exporting CycloneDX Doc:

{
  "package_type": "docker",
  "component_name": "image:tag",
  "path": "my-dockers/ics/latest/manifest.json",
  
  "cyclonedx": true,
  "cyclonedx_format": "json",
  "vex": false
}

Sample Request - exporting SPDX and CycloneDX JSON Docs:

{
  "package_type": "maven",
  "component_name": "org.eclipse.jdt:ecj:3.12.3",
  "path":"my-maven-local/ecj/ecj/3.12.3/ecj-3.12.3.jar",

  "spdx": true,
  "spdx_format": "json",
  "cyclonedx": true,
  "cyclonedx_format": "json",
  "vex": false
}

Sample Request - exporting CycloneDX Doc for build scan within a Project:
{
  "package_type": "build",
  "component_name": "my-build:6",
  "path": "MyProjectKey-build-info/my-build",
  
  "cyclonedx": true,
  "cyclonedx_format": "json",
  "vex": true
}
Sample Request - exporting CycloneDX Doc for Release Bundle V2:
curl -u<USERNAME>:<PASSWORD> -L '<BASE_URL>/xray/api/v2/component/exportDetails' \
  -H 'Content-Type: application/json' \
  -d '{
    "package_type": "releaseBundleV2",
    "component_name": "<RELEASE BUNDLE NAME>:<RELEASE BUNDLE VERSION>",
    "path": "release-bundles-v2/<RELEASE BUDNLE NAME>",
    "cyclonedx": true,
    "cyclonedx_format": "json",
    "vex": true
  }'
Sample request - Passing an array of objects instead of a single JSON
[
{
  "package_type": "docker1",
  "component_name": "image1:tag",
  "path": "my-dockers/ics1/latest/manifest.json",
  
  "cyclonedx": true,
  "cyclonedx_format": "json",
  "vex": false
},
{
  "package_type": "docker2",
  "component_name": "image2:tag",
  "path": "my-dockers/juice-shop/latest/manifest.json",
  
  "cyclonedx": true,
  "cyclonedx_format": "json",
  "vex": false
}
]
Response Codes:
Response Codes
Description
200
Success
400
Invalid request payload
403
No permission to component
500
Failed to export component details