Skip to main content

Enterprise Server 3.15 目前作为候选发布提供。

REST API 现已经过版本控制。 有关详细信息,请参阅“关于 API 版本控制”。

适用于软件物料清单 (SBOM) 的 REST API 终结点

使用 REST API 导出存储库的软件材料清单 (SBOM)。

如果至少具有对存储库的读取访问权限,则可以通过 GitHub UI 或 GitHub REST API,将存储库的依赖项关系图导出为与 SPDX 兼容的软件物料清单 (SBOM)。 有关详细信息,请参阅“导出存储库的软件物料清单”。

本文提供有关 REST API 终结点的详细信息。

GitHub Enterprise Server 不检索依赖项的许可证信息,也不计算依赖项、存储库以及依赖于存储库的包的信息。 响应中不会填充这些字段。

Export a software bill of materials (SBOM) for a repository.

Exports the software bill of materials (SBOM) for a repository in SPDX JSON format.

“Export a software bill of materials (SBOM) for a repository.”的细粒度访问令牌

此端点支持以下精细令牌类型:

精细令牌必须具有以下权限集:

  • "Contents" repository permissions (read)

如果仅请求公共资源,则无需身份验证或上述权限即可使用此终结点。

“Export a software bill of materials (SBOM) for a repository.”的参数

标头
名称, 类型, 说明
accept string

Setting to application/vnd.github+json is recommended.

路径参数
名称, 类型, 说明
owner string 必须

The account owner of the repository. The name is not case sensitive.

repo string 必须

The name of the repository without the .git extension. The name is not case sensitive.

“Export a software bill of materials (SBOM) for a repository.”的 HTTP 响应状态代码

状态代码说明
200

OK

403

Forbidden

404

Resource not found

“Export a software bill of materials (SBOM) for a repository.”的示例代码

请求示例

get/repos/{owner}/{repo}/dependency-graph/sbom
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/dependency-graph/sbom

Response

Status: 200
{ "sbom": { "SPDXID": "SPDXRef-DOCUMENT", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2021-09-01T00:00:00Z", "creators": [ "Tool: GitHub.com-Dependency-Graph" ] }, "name": "github/example", "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/protobom/15e41dd2-f961-4f4d-b8dc-f8f57ad70d57", "packages": [ { "SPDXID": "SPDXRef-Package", "name": "rubygems:rails", "versionInfo": "1.0.0", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION" } ], "relationships": [ { "relationshipType": "DEPENDS_ON", "spdxElementId": "SPDXRef-Repository", "relatedSpdxElement": "SPDXRef-Package" }, { "relationshipType": "DESCRIBES", "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Repository" } ] } }