SCA (Projects & Releases) API
- 04 Mar 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
SCA (Projects & Releases) API
- Updated on 04 Mar 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
The Software Composition Analysis (SCA) Repository API has to query, create, and update projects, releases, and related components on a ProGet instance.
All API endpoints are accessed through the following base URL:
/api/sca/...
🛠️ Projects Endpoints
Create/Update Project - Creates or updates a project
Get Project - Describes a specified project
List Projects - Lists and describes specified projects
🚀 Releases Endpoints
Create/Update Release - Creates or updates a release
Get Release - Describes a specified release
List Releases - Lists and describes specified releases
Analyze Release - Runs an analysis on a specified release
🚩 Issues Endpoints
List Issues - Lists and describes specified issues
Delete Issues - Deletes a specified issue
Resolve Issue - Sets a specified issue to resolved
💬 Comments Endpoints
Create/Update Comment - Creates or updates a comment
List Comments - Lists and describes specified comments
Delete Comment - Deletes a specified comment
📄 SBOM Document Endpoints
Endpoints for managing "Software Bill of Material" (SBOM) documents
Export SBOM Endpoint - Exports a SBOM document from ProGet
Import SBOM Endpoint - Imports a SBOM document to ProGet
Authenticating to SCA Repository API Endpoints
The following is a summary of access types and their corresponding requirements for various API key types and endpoints within this API.
| Access Type | Requirements |
|---|---|
| System API Keys | Manage Projects & Releases and/or Upload SBOM documents |
| Feed API Keys | not usable |
| Personal API Key | associated user must have one of: • Projects_View • Projects_ResolveIssue• Projects_UploadSbom• Projects_Manage |
| No API Key | anonymous or authenticated user must have at one of the above permissions |
To specify an API Key, use the request header (X-ApiKey), querystring (key), or api:«api-key» as the username. See API Key Usage to learn more.
🚀 Quick Example: Authenticating with curl
For example, to authenticate with the API key abc12345 to the List Projects endpoint, you could specify the API key as follows:
curl -X GET -H "X-ApiKey: abc12345" "https://proget.corp.local/api/sca/projects"
If the provided API key is either missing, unknown/incorrect, or does not have permission, the following message is returned:
403 The specified API key does not have the proper permissions to perform this action.
Data Specifications
ProjectInfo Object Properties
ProjectInfo is a set of key/value pairs that correspond to the fields on a Project. It's used as both input and output data for various endpoints:
- Output: Create/Update Project and List Projects endpoints return
ProjectInfoas a JSON-formatted object; all values are returned - Input: Create/Update Project endpoint receives
ProjectInfoas a JSON-formatted object; a missing property indicates that the value should not be updated
Note that some values are optional (indicated by string?), and may be set to null or an empty string.
| Property | Format | Notes |
|---|---|---|
id | int | internal ID of project |
name | string | must be unique across the system |
description | string? | markdown-based description of project, shown UI |
type | string? | SBOM Metadata field |
url | string? | SBOM Metadata field |
JSON Object
{
"id":1,
"name":"myProject"
}
ReleaseInfo Object Properties
ReleaseInfo is a set of key/value pairs that correspond to the fields on a Release. It's used as both input and output data for various endpoints:
- Output: Create/Update Release and List Releases endpoints return
ReleaseInfoas a JSON-formatted object; all values are returned - Input: Create/Update Release endpoint receives
ReleaseInfoas a JSON-formatted object; a missing property indicates that the value should not be updated
Note that some values are optional (indicated by string?), and may be set to null or an empty string.
| Property | Format | Notes |
|---|---|---|
project | string | The name of the project |
version | string | The release version number |
active | bool | Indicates whether the release is active/inactive |
url | string? | SBOM Metadata field |
comments | CommentInfo[]? | An array of CommentInfo objects |
viewReleaseUrl | string? | Introduced in v2022.10; an absolute URL for the release overview page |
viewIssuesUrl | string? | Introduced in v2022.10; an absolute URL for the release issues page |
packages | PackageInfo[]? | Introduced in v2022.16; An array of PackageInfo objects |
JSON Object
{
"project":"myProject",
"version":"1.2.3",
"active":true,
"viewReleaseUrl":"http://proget.corp.local/projects/release?projectReleaseId=2",
"viewIssuesUrl":"http://proget.corp.local/projects/release/issues?projectReleaseId=2",
"comments": [
{
"number": 1,
"by": "proget",
"date": "2024-01-24T02:10:36.993Z",
"comment": "I am a comment."
},
{
"number": 2,
"by": "proget",
"date": "2024-01-24T03:45:21.567Z",
"comment": "I am another comment."
}
],
"packages": [
{
"purl": "pkg:myGroup/myPackage@1.2.3",
"vulnerabilities": [
{
"id": "CVE-2021-12345",
"title": "Security Vulnerability A",
"description": "This is an example of a high-severity security vulnerability.",
"score": 9.8,
"assessment": "Critical"
},
{
"id": "CVE-2021-67890",
"title": "Security Vulnerability B",
"description": "Another example of a medium-severity security vulnerability.",
"score": 6.5,
"assessment": "Moderate"
}
],
"licenses": ["MIT", "Apache-2.0"]
},
{
"purl": "pkg:myGroup/anotherPackage@2.0.1",
"vulnerabilities": [],
"licenses": ["GPL-3.0"]
}
]
}
IssueInfo Properties
IssueInfo is a set of key/value pairs that correspond to the fields on an Issue. It's used as output data for the List Issues endpoint, returning IssueInfo as a JSON-formatted object.
Note that some values are optional (indicated by string?), and may be set to null or an empty string.
| Property | Format | Notes |
|---|---|---|
project | string | The name of the project |
version | string | The release version number |
number | number | The issue number |
created | string | The date the issue was created |
type | string | The issue type (V=VulnerablePackage, M=MissingPackage, O=OutdatedPackage, L=LicenseViolation) |
purl | string | The package URL of the package associated with the issue |
vulnerability | string? | The ID of the related vulnerability if type is V |
JSON Object
{
"project": "myProject",
"version": "1.2.3",
"number": 123,
"created": "2024-01-23T12:00:00Z",
"type": "V",
"purl": "pkg:myGroup/myPackage@v1.2.3",
"vulnerability": "12345"
}
CommentInfo Object Properties
CommentInfo is a set of key/value pairs that correspond to the fields on a Comment. It's used as both input and output data for various endpoints:
- Output: Create/Update Comment and List Comments endpoints return
CommentInfoas a JSON-formatted object; all values are returned - Input: Create/Update Comment endpoint receives
CommentInfoas a JSON-formatted object; only thecommentfield will be updated
Note that some values are optional (indicated by string?), and may be set to null or an empty string.
| Property | Format | Notes |
|---|---|---|
number | number | The comment number |
by | string | The name of the user that created the comment |
date | string | The date the comment was created |
comment | string | The comment text |
JSON Object
{
"number":1,
"by":"proget",
"date":"2024-01-24T02:10:36.993Z",
"comment":"I am a new comment."
}
PackageInfo Properties
PackageInfo is a set of key/value pairs that correspond to the fields on a Package. It's used as a parameter on a ReleaseInfo object.
| Property | Format | Notes |
|---|---|---|
purl | string | A package url of the package |
vulnerabilities | VulnerabilityInfo[] | An array of VulnerabilityInfo objects |
licenses | string[] | An array of license IDs (SPDX codes) |
JSON Object
{
"purl": "pkg:myGroup/myPackage@1.2.3",
"vulnerabilities": [
{
"id": "CVE-2021-12345",
"title": "Security Vulnerability A",
"description": "This is an example of a high-severity security vulnerability.",
"score": 9.8,
"assessment": "Critical"
},
{
"id": "CVE-2021-67890",
"title": "Security Vulnerability B",
"description": "Another example of a medium-severity security vulnerability.",
"score": 6.5,
"assessment": "Moderate"
}
],
"licenses": ["MIT", "Apache-2.0"]
}
VulnerabilityInfo Properties
VulnerabilityInfo is a set of key/value pairs that correspond to the fields on a Vulnerability. It's used as a parameter on a PackageInfo object.
| Property | Format | Notes |
|---|---|---|
id | string | The ID of the vulnerability |
title | string | The title of the vulnerability |
description | string | The description of the vulnerability |
score | number? | The CSSV score, if one is set on the vulnerability |
assessment | string? | The assessment type, if set |
JSON Object
{
"id": "CVE-2021-12345",
"title": "Security Vulnerability A",
"description": "This is an example of a high-severity security vulnerability.",
"score": 9.8,
"assessment": "Critical"
},
Was this article helpful?
