![[Warning]](images/icons/warning.png){kind=icon}
|
|
|
Sonatype CLM APIs are versioned. This document represents a deprecated version (v1) and we highly recommend updating to the latest version of Sonatype CLM and using the latest version of this API. |
When Sonatype CLM evaluates an application, information found during the evaluation is provided via the Application Composition Report. While this is the easiest way to review this information, it can also be exported to a JSON file using the Component Information API.
The API works by sending a REST request to the Sonatype CLM Server. This request involves using a specially formatted URL and any HTTP client. In the example we have provided we make use of cURL and the command line. In addition, we format the JSON to make it a bit more readable.
Sending the Request. First, let’s take a look at the GET API we’ll be using:
GET http://localhost:8070/api/v1/applications/[applicationId]/reports/[reportId]
As you may have noticed, this API uses a URL specific to the location of the report. There are two pieces of information you will need in order to retrieve the results.
There are a variety of ways to retrieve this information, including gathering it by using the <api-v1-comp-search-intro,Component Search API>. However, in our example, we’re just going to pull this information from the log output of an evaluation using Sonatype CLM for CLI.
Here’s an example of the log output produced using Sonatype CLM for CLI:
... ********************************************************************************************* [INFO] Policy Action: None [INFO] CLM stage: build [INFO] Summary of policy violations: 6 critical, 11 severe, 1 moderate [INFO] The detailed report can be viewed online at http://localhost:8070/ui/links/application/MyApp-1234/report/612247fa6bf64ae98e472054b492fbfb [INFO] *********************************************************************************************
![[Note]](images/icons/note.png){kind=icon}
|
|
|
This section as been truncated, showing only the last section of the log output. |
We’ll use the link for the report to gather the information we need. Here is link specifically:
http://localhost:8070/ui/links/application/MyApp-1234/report/68b6bdb1573a40eeb4205d890b602525
In the example above, the segment of the URL following "application" and before the segment "report", is the Application ID. Similarly, the segment after "report" is the report ID.
|
|
|
|
The report is also presented in a full GUI. To access this, simply paste the link in your browser. However, you will need to be at least a member of the developer group for the application that has been evaluated, or you will not be able to access the report. |
Now, we can download the data using our HTTP request tool.
Downloading Component Information. Again, in our example we are going to use cURL, though any HTTP client could be used. Here is what our request looks like:
curl -u admin:admin123 -X GET "http://localhost:8070/api/v1/applications/MyApp-1234/reports/68b6bdb1573a40eeb4205d890b602525"
|
|
|
|
Included in our cURL example is the default username and password for the admin account. Your account credentials may vary, but are necessary in order for the request to be processed. If the username and password provided are not at least within the developer role for the application, an error will be returned. |
Looking at the result through a JSON Viewer, you should see something like this:
{
"components":[
{
"hash":"1249e25aebb15358bedd",
"mavenCoordinates":{
"groupId":"tomcat",
"artifactId":"tomcat-util",
"version":"5.5.23"
},
"matchState":"exact",
"proprietary":false,
"pathnames":[
"all-your-dependencies.zip/all-your-dependencies/sample-clm-application.zip/tomcat-util-5.5.23.jar",
"all-your-dependencies.zip/all-your-dependencies/tomcat-util-5.5.23.jar"
],
"licenseData":{
"declaredLicenses":[
{
"licenseId":"Apache-2.0",
"licenseName":"Apache-2.0"
}
],
"observedLicenses":[
{
"licenseId":"No-Sources",
"licenseName":"No Sources"
}
],
"overriddenLicenses":[
],
"status":"Open"
},
"securityData":{
"securityIssues":[
{
"source":"cve",
"reference":"CVE-2007-3385",
"severity":4.3,
"status":"Open"
},
]
}
}
]
}
Now that you have access to this data, it can be packaged in a variety of ways. For example, you may want to use this as a bill of materials to include associated license data.
