Sonatype Lifecycle Public REST API — Component Search

naftiko: 1.0.0-alpha2
info:
  label: Sonatype Lifecycle Public REST API — Component Search
  description: 'Sonatype Lifecycle Public REST API — Component Search. 3 operations. Lead operation: Component Search. Self-contained
    Naftiko capability covering one Sonatype business surface.'
  tags:
  - Sonatype
  - Component Search
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    SONATYPE_API_KEY: SONATYPE_API_KEY
capability:
  consumes:
  - type: http
    namespace: lifecycle-component-search
    baseUri: ''
    description: Sonatype Lifecycle Public REST API — Component Search business capability. Self-contained, no shared references.
    resources:
    - name: api-v2-componentSearch-cveAffectedComponents
      path: /api/v2/componentSearch/cveAffectedComponents
      operations:
      - name: getcveaffectedcomponents
        method: GET
        description: Retrieve paginated list of applications containing components affected by one or more CVEs. Multiple
          CVE IDs can be specified using multiple cveId query parameters (e.g., ?cveId=CVE-2025-1&cveId=CVE-2025-2). Default
          page number is 1, defaul
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: cveId
          in: query
          type: array
          description: CVE identifier(s). Can be specified multiple times for multiple CVEs.
          required: true
        - name: pageNumber
          in: query
          type: integer
          description: 'Page number (1-indexed, minimum: 1, default: 1)'
        - name: pageSize
          in: query
          type: integer
          description: 'Number of items per page (1-1000, default: 10)'
        - name: sortBy
          in: query
          type: string
          description: 'Sort field: applicationName, applicationId, componentName, evaluationDate, stage, activeWaiver, violating,
            cveId. When not specified, sorts by applicationName ('
        - name: sortOrder
          in: query
          type: string
          description: 'Sort order: asc or desc, default: asc'
    - name: api-v2-componentSearch-downloadComponentSearchReport
      path: /api/v2/componentSearch/downloadComponentSearchReport
      operations:
      - name: exportcomponentsearchreport
        method: GET
        description: Export component search results as CSV (streaming). Identifies applications containing components affected
          by one or more CVEs. Multiple CVE IDs can be specified using multiple cveId query parameters (e.g., ?cveId=CVE-2025-1&cveId=CVE-2025-
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: cveId
          in: query
          type: array
          description: CVE identifier(s). Can be specified multiple times for multiple CVEs. Defaults to CVE-2025-55182 if
            not specified.
    - name: api-v2-search-component
      path: /api/v2/search/component
      operations:
      - name: searchcomponent
        method: GET
        description: Use this method to retrieve the component details from the application evaluation reports by specifying
          the component search parameters, format and evaluation stage. You can specify the component search parameters in
          any one of the 3 ways:<
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: stageId
          in: query
          type: string
          description: Specify the evaluation report stage.
          required: true
        - name: hash
          in: query
          type: string
          description: Enter the component hash.
        - name: componentIdentifier
          in: query
          type: string
          description: Specify the componentIdentifier object containing the format and coordinates.
        - name: packageUrl
          in: query
          type: string
          description: Enter the packageUrl.
    authentication:
      type: bearer
      token: '{{env.SONATYPE_API_KEY}}'
  exposes:
  - type: rest
    namespace: lifecycle-component-search-rest
    port: 8080
    description: REST adapter for Sonatype Lifecycle Public REST API — Component Search. One Spectral-compliant resource per
      consumed operation, prefixed with /v1.
    resources:
    - path: /v1/api/v2/componentsearch/cveaffectedcomponents
      name: api-v2-componentsearch-cveaffectedcomponents
      description: REST surface for api-v2-componentSearch-cveAffectedComponents.
      operations:
      - method: GET
        name: getcveaffectedcomponents
        description: Retrieve paginated list of applications containing components affected by one or more CVEs. Multiple
          CVE IDs can be specified using multiple cveId query parameters (e.g., ?cveId=CVE-2025-1&cveId=CVE-2025-2). Default
          page number is 1, defaul
        call: lifecycle-component-search.getcveaffectedcomponents
        with:
          cveId: rest.cveId
          pageNumber: rest.pageNumber
          pageSize: rest.pageSize
          sortBy: rest.sortBy
          sortOrder: rest.sortOrder
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v2/componentsearch/downloadcomponentsearchreport
      name: api-v2-componentsearch-downloadcomponentsearchreport
      description: REST surface for api-v2-componentSearch-downloadComponentSearchReport.
      operations:
      - method: GET
        name: exportcomponentsearchreport
        description: Export component search results as CSV (streaming). Identifies applications containing components affected
          by one or more CVEs. Multiple CVE IDs can be specified using multiple cveId query parameters (e.g., ?cveId=CVE-2025-1&cveId=CVE-2025-
        call: lifecycle-component-search.exportcomponentsearchreport
        with:
          cveId: rest.cveId
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v2/search/component
      name: api-v2-search-component
      description: REST surface for api-v2-search-component.
      operations:
      - method: GET
        name: searchcomponent
        description: Use this method to retrieve the component details from the application evaluation reports by specifying
          the component search parameters, format and evaluation stage. You can specify the component search parameters in
          any one of the 3 ways:<
        call: lifecycle-component-search.searchcomponent
        with:
          stageId: rest.stageId
          hash: rest.hash
          componentIdentifier: rest.componentIdentifier
          packageUrl: rest.packageUrl
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: lifecycle-component-search-mcp
    port: 9090
    transport: http
    description: MCP adapter for Sonatype Lifecycle Public REST API — Component Search. One tool per consumed operation, routed
      inline through this capability's consumes block.
    tools:
    - name: retrieve-paginated-list-applications-containing
      description: Retrieve paginated list of applications containing components affected by one or more CVEs. Multiple CVE
        IDs can be specified using multiple cveId query parameters (e.g., ?cveId=CVE-2025-1&cveId=CVE-2025-2). Default page
        number is 1, defaul
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lifecycle-component-search.getcveaffectedcomponents
      with:
        cveId: tools.cveId
        pageNumber: tools.pageNumber
        pageSize: tools.pageSize
        sortBy: tools.sortBy
        sortOrder: tools.sortOrder
      outputParameters:
      - type: object
        mapping: $.
    - name: export-component-search-results-csv
      description: Export component search results as CSV (streaming). Identifies applications containing components affected
        by one or more CVEs. Multiple CVE IDs can be specified using multiple cveId query parameters (e.g., ?cveId=CVE-2025-1&cveId=CVE-2025-
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lifecycle-component-search.exportcomponentsearchreport
      with:
        cveId: tools.cveId
      outputParameters:
      - type: object
        mapping: $.
    - name: use-this-method-retrieve-component
      description: Use this method to retrieve the component details from the application evaluation reports by specifying
        the component search parameters, format and evaluation stage. You can specify the component search parameters in any
        one of the 3 ways:<
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lifecycle-component-search.searchcomponent
      with:
        stageId: tools.stageId
        hash: tools.hash
        componentIdentifier: tools.componentIdentifier
        packageUrl: tools.packageUrl
      outputParameters:
      - type: object
        mapping: $.