- Create a pipeline-level dependency list export
- Get single dependency list export
- Download dependency list export
Dependency list export API
Every call to this endpoint requires authentication.
Create a pipeline-level dependency list export
Introduced in GitLab 16.4 with a flag named merge_sbom_api
. Enabled by default. This feature is an Experiment.
merge_sbom_api
.
On GitLab.com, this feature is available.Create a new CycloneDX JSON export for all the project dependencies detected in a pipeline.
If an authenticated user doesn’t have permission to
read_dependency,
this request returns a 403 Forbidden
status code.
SBOM exports can be only accessed by the export’s author.
POST /pipelines/:id/dependency_list_exports
Attribute | Type | Required | Description |
---|---|---|---|
id | integer | yes | The ID of the pipeline which the authenticated user has access to. |
export_type | string | yes | This must be set to sbom . |
curl --request POST --header "PRIVATE-TOKEN: <private_token>" "https://gitlab.example.com/api/v4/pipelines/1/dependency_list_exports" --data "export_type=sbom"
The created dependency list export is automatically deleted after 1 hour.
Example response:
{
"id": 2,
"has_finished": false,
"self": "http://gitlab.example.com/api/v4/dependency_list_exports/2",
"download": "http://gitlab.example.com/api/v4/dependency_list_exports/2/download"
}
Get single dependency list export
Get a single dependency list export.
GET /security/dependency_list_exports/:id
Attribute | Type | Required | Description |
---|---|---|---|
id | integer | yes | The ID of the dependency list export. |
curl --header "PRIVATE-TOKEN: <private_token>" "https://gitlab.example.com/api/v4/security/dependency_list_exports/2"
The status code is 202 Accepted
when the dependency list export is being generated, and 200 OK
when it’s ready.
Example response:
{
"id": 4,
"has_finished": true,
"self": "http://gitlab.example.com/api/v4/dependency_list_exports/4",
"download": "http://gitlab.example.com/api/v4/dependency_list_exports/4/download"
}
Download dependency list export
Download a single dependency list export.
GET /security/dependency_list_exports/:id/download
Attribute | Type | Required | Description |
---|---|---|---|
id | integer | yes | The ID of the dependency list export. |
curl --header "PRIVATE-TOKEN: <private_token>" "https://gitlab.example.com/api/v4/security/dependency_list_exports/2/download"
The response is 404 Not Found
if the dependency list export is not finished yet or was not found.
Example response:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:aec33827-20ae-40d0-ae83-18ee846364d2",
"version": 1,
"metadata": {
"tools": [
{
"vendor": "Gitlab",
"name": "Gemnasium",
"version": "2.34.0"
}
],
"authors": [
{
"name": "Gitlab",
"email": "support@gitlab.com"
}
],
"properties": [
{
"name": "gitlab:dependency_scanning:input_file",
"value": "package-lock.json"
}
]
},
"components": [
{
"name": "com.fasterxml.jackson.core/jackson-core",
"purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.2",
"version": "2.9.2",
"type": "library",
"licenses": [
{
"license": {
"id": "MIT",
"url": "https://spdx.org/licenses/MIT.html"
}
},
{
"license": {
"id": "BSD-3-Clause",
"url": "https://spdx.org/licenses/BSD-3-Clause.html"
}
}
]
}
]
}