0

I'm trying to retrieve the vulnerabilities and licenses reports (ideally in .csv format) using Xray API. Before coding in groovy - trying to make it working using curl.

Reading documentation, but can't find detailed explanation and useful examples.

For example, running the following:

curl -X POST -u<user>:<pswrd> -H "Content-Type: application/json" -d '{"checksums":["1b25b...."],"report_type":"license"}' "https://<my-xray-server>/xray/api/v1/summary/artifact"

does return for specified (by checksum) artifact the list of both

  • issues (vulnerabilities)
  • licenses In the same Json report contest.

Despite I explicitly specified "report_type":"license" to get licenses report only. Is there a way to retrieve vulnerabilities/licenses reports separately? Is there a way to get those reports in the .csv format (instead of default json)? TIA!

TylerH
  • 20,799
  • 66
  • 75
  • 101
Max
  • 5
  • 6

1 Answers1

0

You should work with the Xray REST API docs.

More specifically, create a vulnerabilities report or a due diligence report (licenses) and then export it in the desired format (CSV is supported).

Example of how the commands would actually look

  1. Create the report
curl -u<user>:<password> -X POST https://server/xray/api/v1/reports/vulnerabilities -H "Content-Type: application/json" -d '<json block>'
  1. Export the report
curl -u<user>:<password> -X GET https://server/xray/api/v1/reports/export/{id}?file_name=vuln_report_1&format=csv
Eldad Assis
  • 10,464
  • 11
  • 52
  • 78
  • Thanks @Eldad! I definitely was looking to those API docs. And they are not sufficient (in my opinion). Looking to those docs I can't figure out how to create a `curl` command. Let's say I want to generate a CSV `due diligence report` for artifact `myArtifact1.tar.gz` in the repo `max_artifacts`. No additional filters needed. What would be an example of such curl? – Max Feb 21 '23 at 14:42
  • Also example of monitoring report status (when from `pending` it's switched to `completed` (or similar) would be helpful. – Max Feb 21 '23 at 14:44
  • You are right. The docs are poorly formatted. I know there is effort to improve this. The general syntax would be `curl -u: -X POST https://server/xray/api/v1/reports/vulnerabilities -H "Content-Type: application/json" -d ''`. – Eldad Assis Feb 21 '23 at 20:38
  • Can we generate the reports dynamically by having scope of defined repos and builds using azuredevops pipeline? The API call Json is seems bit difficult to modified by the pipeline parameters or variables of repos and builds – Vowneee Jun 07 '23 at 20:50
  • Try looking at https://jfrog.com/help/r/jfrog-cli/scanning-files-on-the-local-file-system and see if it helps. Basically, using the JFrog CLI to trigger Xray actions. – Eldad Assis Jun 08 '23 at 17:29