@@ -38,7 +38,7 @@ The following Package Managers are currently supported:
3838- Go Modules (` gomodules ` )
3939- Pip (` pip ` )
4040
41- ## Dependency Analysis ` /api/v3 /analysis `
41+ ## Dependency Analysis ` /api/v4 /analysis `
4242
4343The expected input data format is a Software Bill of Materials (SBOM) containing the aggregate of all direct and transitive
4444dependencies of a project.
@@ -60,7 +60,7 @@ The generated file will be located under `./target/bom.json`. Make sure the requ
6060Then you can analyise the vulnerabilities with the following command:
6161
6262``` bash
63- $ http :8080/api/v3 /analysis Content-Type:" application/vnd.cyclonedx+json" " application/json" ' target/bom.json'
63+ $ http :8080/api/v4 /analysis Content-Type:" application/vnd.cyclonedx+json" " application/json" ' target/bom.json'
6464```
6565
6666### Verbose Mode
@@ -69,22 +69,39 @@ When the Dependency Graph Analysis returns a JSON report it contains all vulnera
6969in order to retrieve just a Summary. Use the ` verbose=false ` Query parameter to disable it.
7070
7171``` bash
72- $ http :8080/api/v3 /analysis Content-Type:" application/vnd.cyclonedx+json" " application/json" ' target/sbom.json'
72+ $ http :8080/api/v4 /analysis Content-Type:" application/vnd.cyclonedx+json" " application/json" ' target/sbom.json'
7373
7474{
75- " dependencies"
76- " summary"
77- " dependencies"
78- " scanned"
79- " transitive"
80- },
81- " vulnerabilities"
82- " critical"
83- " direct"
84- " high"
85- " low"
86- " medium"
87- " total"
75+ " scanned"
76+ " total"
77+ " direct"
78+ " transitive"
79+ },
80+ " providers"
81+ " oss-index"
82+ " status"
83+ " ok"
84+ " name" " oss-index"
85+ " code"
86+ " message" " OK"
87+ },
88+ " sources"
89+ " oss-index"
90+ " summary"
91+ " direct"
92+ " transitive"
93+ " total"
94+ " dependencies"
95+ " critical"
96+ " high"
97+ " medium"
98+ " low"
99+ " remediations"
100+ " recommendations"
101+ },
102+ " dependencies"
103+ }
104+ }
88105 }
89106 }
90107}
@@ -98,15 +115,22 @@ that specific provider will not show all the details.
98115To provide the client authentication tokens use HTTP Headers in the request. The format for the tokens Headers is ` ex-provider-token ` . e.g. ` ex-snyk-token ` :
99116
100117``` bash
101- http :8080/api/v3 /analysis Content-Type:" application/vnd.cyclonedx+json" " text/html" ' target/sbom.json'
118+ http :8080/api/v4 /analysis Content-Type:" application/vnd.cyclonedx+json" " text/html" ' target/sbom.json'
102119```
103120
104121In case the vulnerability provider requires of Basic Authentication the headers will be ` ex-provider-user ` and ` ex-provider-token ` .
105122
106123``` bash
107- http :8080/api/v3 /analysis Content-Type:" application/vnd.cyclonedx+json" " text/html" ' target/sbom.json'
124+ http :8080/api/v4 /analysis Content-Type:" application/vnd.cyclonedx+json" " text/html" ' target/sbom.json'
108125```
109126
127+ ### V3 Support
128+
129+ As long as clients consume V3 we will keep backwards compatible responses. The main difference between V4 and V3 is the multisource data model where providers
130+ can report vulnerabilities from multiple sources. In V3, all vulnerabilities will be merged and counted together.
131+
132+ The HTML report will always be multisource using V4 data.
133+
110134### HTML Report
111135
112136By default the response Content-Type will be ` application/json ` but if the ` text/html ` media type is requested instead, the response
@@ -118,7 +142,7 @@ The HTML report will show limited information:
118142- Private vulnerabilities (i.e. vulnerabilities reported by the provider) will not be displayed.
119143
120144``` bash
121- $ http :8080/api/v3 /analysis Content-Type:" application/vnd.cyclonedx+json" " text/html" ' target/sbom.json'
145+ $ http :8080/api/v4 /analysis Content-Type:" application/vnd.cyclonedx+json" " text/html" ' target/sbom.json'
122146
123147< html>
124148...
@@ -132,7 +156,7 @@ For that, use the `Accept: multipart/mixed` request header.
132156
133157
134158``` bash
135- http :8080/api/v3 /analysis Content-Type:" application/vnd.cyclonedx+json" " multipart/mixed" ' target/sbom.json'
159+ http :8080/api/v4 /analysis Content-Type:" application/vnd.cyclonedx+json" " multipart/mixed" ' target/sbom.json'
136160HTTP/1.1 200 OK
137161 boundary=" ----=_Part_2_2047647971.1682593849895"
138162Content-Type: multipart/mixed;
@@ -147,23 +171,37 @@ Content-Type: application/json
147171Content-Transfer-Encoding: binary
148172
149173{
150- " summary"
151- " dependencies"
152- ...
153- },
154- " vulnerabilities"
155- ...
156- }
157- },
158- " dependencies"
159- {
160- " ref"
161- " name" " log4j:log4j"
162- " version" " 1.2.17"
163- },
164- ...
174+ {
175+ " scanned"
176+ " total"
177+ " direct"
178+ " transitive"
179+ },
180+ " providers"
181+ " oss-index"
182+ " status"
183+ " ok"
184+ " name" " oss-index"
185+ " code"
186+ " message" " OK"
187+ },
188+ sources" : {
189+ " oss-index" : {
190+ " summary" : {
191+ ...
192+ },
193+ " dependencies" : [
194+ {
195+ " ref" : {
196+ " name" : " " ,
197+ " version" : " "
198+ },
199+ ...
200+ }
201+ }
202+ }
165203 }
166- ]
204+ }
167205}
168206------=_Part_2_2047647971.1682593849895
169207Content-Type: text/html
@@ -192,7 +230,7 @@ The request will be a GET to the `/token` path containing the HTTP header with t
192230other HTTP requests. i.e. ` ex-<provider>-token`
193231
194232` ` `
195- http -v :8080/api/v3 /token ex-snyk-token==example-token
233+ http -v :8080/api/v4 /token ex-snyk-token==example-token
196234` ` `
197235
198236The possible responses are:
0 commit comments