SBOM Upload Validator API

REST API for uploading SBOMs to Dependency-Track with hierarchical project management.

🏗️ Project Hierarchy

District (SuperParent) → Business Line (Parent) → Project (Child)

Each new SBOM creates a new version, not a new project
New versions are cloned from the latest version, preserving vulnerability analysis
Rich metadata and tagging for GitLab pipeline integration

POST /api/v1/sbom/upload

Upload SBOM with metadata for GitLab pipeline integration.

Required Form Fields:

district - District name (SuperParent)
business_line - Business line name (Parent)
project_name - Project name (Child)
version - Project version
sbom - SBOM file (multipart/form-data)

Optional Form Fields:

gitlab_project_id - GitLab project ID
gitlab_pipeline_id - GitLab pipeline ID
commit_sha - Git commit SHA
branch - Git branch (default: main)
tags - Comma-separated custom tags

Example cURL:

curl -X POST http://localhost:8888/api/v1/sbom/upload \
  -F "district=North America" \
  -F "business_line=Financial Services" \
  -F "project_name=payment-api" \
  -F "version=1.2.3" \
  -F "gitlab_project_id=123" \
  -F "commit_sha=abc123def456" \
  -F "branch=main" \
  -F "tags=production,api" \
  -F "sbom=@/path/to/sbom.json"

GET /api/v1/projects/hierarchy

Get project hierarchy for a district/business line.

Query Parameters:

district (required) - District name
business_line (optional) - Filter by business line

Example:

GET /api/v1/projects/hierarchy?district=North%20America&business_line=Financial%20Services

GET /api/v1/projects/{project_name}/versions

Get all versions for a specific project.

Query Parameters:

district (required) - District name
business_line (required) - Business line name

Example:

GET /api/v1/projects/payment-api/versions?district=North%20America&business_line=Financial%20Services

GET /health

Health check endpoint for load balancers.

Response:

{"status": "healthy", "service": "sbom-upload-validator"}

🔧 Configuration

Environment variables:

DT_URL - Dependency-Track server URL
DT_API_KEY - Dependency-Track API key
PORT - Server port (default: 8888)
FLASK_ENV - Set to 'development' for debug mode

🔗 GitLab CI/CD Integration

Example GitLab CI job for SBOM upload:

sbom_upload:
  stage: security
  script:
    - |
      curl -X POST $SBOM_VALIDATOR_URL/api/v1/sbom/upload \
        -F "district=$DISTRICT" \
        -F "business_line=$BUSINESS_LINE" \
        -F "project_name=$CI_PROJECT_NAME" \
        -F "version=$CI_COMMIT_TAG" \
        -F "gitlab_project_id=$CI_PROJECT_ID" \
        -F "gitlab_pipeline_id=$CI_PIPELINE_ID" \
        -F "commit_sha=$CI_COMMIT_SHA" \
        -F "branch=$CI_COMMIT_REF_NAME" \
        -F "sbom=@sbom.json"
  only:
    - tags