SBOM report from JFrog-CLI tool

[ccconnected]

Good day JFrog-CLI Team,

I am interested in obtaining SBOM report from JFrog-CLI tool.
From this REST API https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API#XrayRESTAPI-ExportComponentDetails I see there are available options:

"spdx": true | false,
"spdx_format": "json | tag:value | xlsx",
"cyclonedx": true | false,
"cyclonedx_format": "json | xml"

Could something like this be implemented for JFrog-CLI tool, e.g. switches --spdx, --spdx_format, --cyclonedx, --cyclonedx_format?

Kind regards!

[eyalbe4]

@ccconnected,
Would you like to try using the jf xr curl command to invoke this REST API?

[ccconnected]

@eyalbe4 Could you please clarify how could I get an SBOM from a file on the Local File System (e.g. .tgz, .zip, or .deb) using that command? A full example command would help.

[ccconnected]

@eyalbe4 I originally thought about adding an SBOM switch to On-Demand Binary Scan command, something in the lines of:

jf s "*.tgz" --licenses --cyclonedx

[jghal]

I just went down this rabbit hole. The main issue is finding the sha_256 for the build info to supply to the component/exportDetails API. Assuming you're publishing your build info to, you first call the dependencyGraph/build API

{
 "artifactory_id":"default",
 "build_name":"npmtest3",
 "build_number":"1.3.1",
 "build_repo":"testproject1-build-info"
}

And you can parse the build info's sha_256 out of the response (jq -r '.build.sha256'). Then you can call the component/exportDetails API

jf xr curl 'api/v1/component/exportDetails' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer ...' \
--data '{
"component_name":"npmtest:1.2.8",
"package_type":"build",
"output_format":"json",
"spdx":false,
"cyclonedx":true,
"cyclonedx_format":"json",
"sha_256":"7584db7d50c349ad20071ecb8cf8dfb1216e69ca24a2d6435751242f9c88d14e"
}' -o sbom.zip

This should get you the CycloneDX SBOM for the published and scanned build info. However, I would very much like a more direct option built into the commands that perform the Xray scan.

[jghal]

@eyalbe4 I'm trying to use the v2 export component details API as it looks like it gets rid of the need to first pull the build dependency graph to find the sha. But all I can get back is {"error":"Invalid request payload"}.

$ jf xr curl 'api/v2/component/exportDetails' \
--header 'Content-Type: application/json'
--data '{
"component_name":"npmtest3:1.3.1",
"package_type":"build",
"path":"testproject1-build-info/npmtest3/1.3.1-1234567890.json",
"cyclonedx":true,
"cyclonedx_format":"json"
}' -o report.json
$ cat output.json 
{"error":"Invalid request payload"}

Am I on the right track with setting the path to the build info's json file? What's the best way for us to find the right <id> for the path? For now I looked it up manually in the UI but that's no good for during a pipeline.