Description: Export component scan results, SPDX SBOM doc or CycloneDX SBOM doc.
Note: The output is in a .zip format.
Starting with Xray version 3.112.x and above, this API supports passing an array of objects instead of a single JSON. This allows you to generate SBOM reports for multiple artifacts at a time and the aggregated reports will be returned in a “multiple_components_report.zip” file. An example request is provided in the examples below.
Security: Requires a valid user with the "Read" permission.
Usage: POST /xray/api/v2/component/exportDetails
Consumes: application/json
Produces: application/octet-stream
Request body:
Name | Type | Required/Optional | Description |
---|---|---|---|
| string | required | Name of the component e.g image:tag |
| string | required | Type of the package. Acceptable values: build, releaseBundle, releaseBundleV2, alpine, nuget, docker, npm, rpm, debian, go, pypi, conan, terraform, cran, maven, huggingfaceml, huggingface, cargo, conda, composer, npm, npm |
| string | required | path (Artifactory path) to the component |
Scan results export options: | |||
| boolean | optional | Include violations in the export |
| boolean | optional | Include ignored violations in the export |
| boolean | optional | Include license information in the export |
| boolean | optional | Exclude components with unknown licenses from the export |
| boolean | optional | Include security vulnerabilities information in the export |
| boolean | optional | Include operational risk information in the export |
| boolean | optional | Include information about secrets in the export |
| boolean | optional | Include information about services in the export |
| boolean | optional | Include information about applications in the export |
| boolean | optional | Include information about Infrastructure as Code (IaC) |
| string | required | Output format of the exported scan results. Acceptable values: pdf, csv, json - returns multiple files of the corresponding results in the requested format packed in a ZIP file. json_full - returns all the results in a single json. Note: SPDX and CycloneDX formats are set by their corresponding properties below. |
SPDX SBOM doc export options: | |||
| boolean | optional | Generate SPDX format in the export |
| string | optional | Format of the SPDX output. Acceptable values: json, tag:value, xlsx |
CycloneDX SBOM doc export options: | |||
| boolean | optional | Generate CycloneDX format in the export |
| string | optional | Format of the CycloneDX output. Acceptable values: json, xml |
| boolean | optional | Include VEX in CycloneDX exported doc. |
Sample Request exporting the scan results :
{ "package_type": "docker", "component_name": "ics:latest", "path": "my-dockers/ics/latest/manifest.json", "violations": true, "include_ignored_violations": true, "license": true, "exclude_unknown": false, "operational_risk": true, "security": true, "secrets": true, "services": true, "applications": true, "output_format": "pdf" }
Sample Request - exporting CycloneDX Doc:
{ "package_type": "docker", "component_name": "image:tag", "path": "my-dockers/ics/latest/manifest.json", "cyclonedx": true, "cyclonedx_format": "json", "vex": false }
Sample Request - exporting SPDX and CycloneDX JSON Docs:
{ "package_type": "maven", "component_name": "org.eclipse.jdt:ecj:3.12.3", "path":"my-maven-local/ecj/ecj/3.12.3/ecj-3.12.3.jar", "spdx": true, "spdx_format": "json", "cyclonedx": true, "cyclonedx_format": "json", "vex": false }
Sample Request - exporting CycloneDX Doc for build scan:
{ "package_type": "build", "component_name": "my-build:26", "path": "artifactory-build-info/", "cyclonedx": true, "cyclonedx_format": "json", "vex": false }
Sample Request - exporting CycloneDX Doc for build scan within a Project:
{ "package_type": "build", "component_name": "my-build:6", "path": "MyProjectKey-build-info/", "cyclonedx": true, "cyclonedx_format": "json", "vex": true }
Sample Request - exporting CycloneDX Doc for Release Bundle V2:
{ "component_name": "[omerbu-ob-release-bundles-v2]/omer-rb:1", "package_type": "releaseBundleV2", "path": "omerbu-ob-release-bundles-v2/omer-rb", "cyclonedx": true, "cyclonedx_format": "json", "vex": false }
Sample request - Passing an array of objects instead of a single JSON
[ { "package_type": "docker1", "component_name": "image1:tag", "path": "my-dockers/ics1/latest/manifest.json", "cyclonedx": true, "cyclonedx_format": "json", "vex": false }, { "package_type": "docker2", "component_name": "image2:tag", "path": "my-dockers/juice-shop/latest/manifest.json", "cyclonedx": true, "cyclonedx_format": "json", "vex": false } ]
Response Codes:
Response Codes | Description |
---|---|
200 | Success |
400 | Invalid request payload |
403 | No permission to component |
500 | Failed to export component details |