Export Component Details V2

post

https://jf.example.com/xray/api/v2/component/exportDetails

Exports component details to various formats. Returns a ZIP file containing the exported data. Requires Read permission.

Request structure: content selectors vs. format settings

Request fields fall into two independent groups, plus the identifying fields (package_type, component_name, path).

Content selectors — at least one must be true. These say what to include in the export:

vulnerabilities, violations, license, operational_risk, sast — generate a single rendered report covering the selected content (rendered with output_format)
spdx — generate an SPDX SBOM document (rendered with spdx_format; SPDX version controlled by spdx_version)
cyclonedx — generate a CycloneDX SBOM document (rendered with cyclonedx_format)
any of secrets, services, applications, iac, malicious_code — include the corresponding exposure category

Calling the endpoint without any content selector returns 400 Non of the export options were selected.

Format settings — required only when their companion content is selected, ignored otherwise:

output_format (e.g., pdf, json, csv) — required when any of vulnerabilities, violations, license, operational_risk, sast is true
spdx_format (json, tag-value) — required when spdx: true
spdx_version (2.3 default, 3.0) — optional, only meaningful when spdx: true
cyclonedx_format (json, xml) — required when cyclonedx: true

The three format dimensions are independent — a single call can combine, for example, a PDF vulnerabilities report with an SPDX SBOM (see the combinedReportAndSbom example).

Recent Requests

Time	Status	User Agent
Retrieving recent requests…

Loading…

Body Params

package_type

string

required

Package type of the component (e.g. docker, maven, npm).

component_name

string

required

Name of the component to export details for.

path

string

Path to the component in the repository.

output_format

string

Format setting. Output format for the rendered report. Required when any of vulnerabilities, violations, license, operational_risk, or sast is true. Common values: pdf, json, csv. Not a content selector by itself — a payload that sets only output_format is rejected with Non of the export options were selected.

spdx

boolean

Content selector. Generate an SPDX SBOM document. Requires spdx_format; spdx_version optionally selects the SPDX spec version.

spdx_format

string

Format setting. SPDX output format. Required when spdx: true. Values: json, tag-value.

spdx_version

string

enum

Format setting. SPDX specification version. Optional; defaults to 2.3. Only meaningful when spdx: true. Set to 3.0 to generate an SPDX 3.0 SBOM.

Allowed:

cyclonedx

boolean

Content selector. Generate a CycloneDX SBOM document. Requires cyclonedx_format.

cyclonedx_format

string

Format setting. CycloneDX output format. Required when cyclonedx: true. Values: json, xml.

vex

boolean

Generate a VEX (Vulnerability Exploitability eXchange) document alongside the selected SBOM.

violations

boolean

Content selector. Include policy violations in the rendered report. Requires output_format.

include_ignored_violations

boolean

When violations: true, include ignored violations as well.

license

boolean

Content selector. Include license information in the rendered report. Requires output_format.

exclude_unknown

boolean

When license: true, exclude components with unknown licenses from the export.

vulnerabilities

boolean

Content selector. Include security vulnerabilities in the rendered report. Requires output_format.

operational_risk

boolean

Content selector. Include operational risk information in the rendered report. Requires output_format.

secrets

boolean

Content selector. Include exposure findings of category secrets.

services

boolean

Content selector. Include exposure findings of category services.

malicious_code

boolean

Content selector. Include exposure findings of category malicious_code.

applications

boolean

Content selector. Include exposure findings of category applications.

iac

boolean

Content selector. Include exposure findings of category iac (Infrastructure as Code).

sast

boolean

Content selector. Include Static Application Security Testing (SAST) findings in the rendered report. Requires output_format.

license_resolution

boolean

When license: true, include license conclusion/resolution data.

Headers

string

enum

Defaults to application/json

Generated from available response content types

Allowed:

Responses

500

Failed to export component details.

200ZIP file containing the exported component details.

400Invalid request payload. Common causes: (a) no content selector was set — Non of the export options were selected; (b) a content selector is true but its companion format field is missing — One parameter or more are missing.