dependencyGraphExportSbom
Export a software bill of materials (SBOM) for a repository.
Details
- Method:
GET - Path:
/repos/{owner}/{repo}/dependency-graph/sbom - Operation ID:
dependency-graph/export-sbom
Parameters
{
"owner": {
"description": "The account owner of the repository. The name is not case sensitive.",
"required": true,
"location": "path",
"type": "string"
},
"repo": {
"description": "The name of the repository without the `.git` extension. The name is not case sensitive.",
"required": true,
"location": "path",
"type": "string"
}
}Response Schema
{
"title": "Dependency Graph SPDX SBOM",
"description": "A schema for the SPDX JSON format returned by the Dependency Graph.",
"type": "object",
"properties": {
"sbom": {
"type": "object",
"properties": {
"SPDXID": {
"type": "string",
"example": "SPDXRef-DOCUMENT",
"description": "The SPDX identifier for the SPDX document."
},
"spdxVersion": {
"type": "string",
"example": "SPDX-2.3",
"description": "The version of the SPDX specification that this document conforms to."
},
"comment": {
"type": "string",
"example": "Exact versions could not be resolved for some packages. For more information: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/",
"description": "An optional comment about the SPDX document."
},
"creationInfo": {
"type": "object",
"properties": {
"created": {
"type": "string",
"example": "2021-11-03T00:00:00Z",
"description": "The date and time the SPDX document was created."
},
"creators": {
"type": "array",
"items": {
"type": "string",
"example": "GitHub"
},
"description": "The tools that were used to generate the SPDX document."
}
},
"required": [
"created",
"creators"
]
},
"name": {
"type": "string",
"example": "github/github",
"description": "The name of the SPDX document."
},
"dataLicense": {
"type": "string",
"example": "CC0-1.0",
"description": "The license under which the SPDX document is licensed."
},
"documentNamespace": {
"type": "string",
"example": "https://spdx.org/spdxdocs/protobom/15e41dd2-f961-4f4d-b8dc-f8f57ad70d57",
"description": "The namespace for the SPDX document."
},
"packages": {
"type": "array",
"items": {
"type": "object",
"properties": {
"SPDXID": {
"type": "string",
"example": "SPDXRef-Package",
"description": "A unique SPDX identifier for the package."
},
"name": {
"type": "string",
"example": "github/github",
"description": "The name of the package."
},
"versionInfo": {
"type": "string",
"example": "1.0.0",
"description": "The version of the package. If the package does not have an exact version specified,\na version range is given."
},
"downloadLocation": {
"type": "string",
"example": "NOASSERTION",
"description": "The location where the package can be downloaded,\nor NOASSERTION if this has not been determined."
},
"filesAnalyzed": {
"type": "boolean",
"example": false,
"description": "Whether the package's file content has been subjected to\nanalysis during the creation of the SPDX document."
},
"licenseConcluded": {
"type": "string",
"example": "MIT",
"description": "The license of the package as determined while creating the SPDX document."
},
"licenseDeclared": {
"type": "string",
"example": "NOASSERTION",
"description": "The license of the package as declared by its author, or NOASSERTION if this information\nwas not available when the SPDX document was created."
},
"supplier": {
"type": "string",
"example": "NOASSERTION",
"description": "The distribution source of this package, or NOASSERTION if this was not determined."
},
"copyrightText": {
"type": "string",
"example": "Copyright (c) 1985 GitHub.com",
"description": "The copyright holders of the package, and any dates present with those notices, if available."
},
"externalRefs": {
"type": "array",
"items": {
"type": "object",
"properties": {
"referenceCategory": {
"type": "string",
"example": "PACKAGE-MANAGER",
"description": "The category of reference to an external resource this reference refers to."
},
"referenceLocator": {
"type": "string",
"example": "pkg:gem/rails@6.0.1",
"description": "A locator for the particular external resource this reference refers to."
},
"referenceType": {
"type": "string",
"example": "purl",
"description": "The category of reference to an external resource this reference refers to."
}
},
"required": [
"referenceCategory",
"referenceLocator",
"referenceType"
]
}
}
}
},
"required": [
"SPDXID",
"name",
"versionInfo",
"downloadLocation",
"filesAnalyzed"
]
},
"relationships": {
"type": "array",
"items": {
"type": "object",
"properties": {
"relationshipType": {
"type": "string",
"example": "DEPENDS_ON",
"description": "The type of relationship between the two SPDX elements."
},
"spdxElementId": {
"type": "string",
"description": "The SPDX identifier of the package that is the source of the relationship."
},
"relatedSpdxElement": {
"type": "string",
"description": "The SPDX identifier of the package that is the target of the relationship."
}
}
},
"required": [
"relationshipType",
"spdxElementId",
"relatedSpdxElement"
]
}
},
"required": [
"SPDXID",
"spdxVersion",
"creationInfo",
"name",
"dataLicense",
"documentNamespace",
"packages"
]
}
},
"required": [
"sbom"
]
}Usage
from ocp_agent import OCPAgent
agent = OCPAgent()
await agent.register_api('github')
# Call this tool
result = await agent.call_tool('dependencyGraphExportSbom', {
# Add required parameters here
})