Sonatype Lifecycle Public REST API — CycloneDX

naftiko: 1.0.0-alpha2
info:
  label: Sonatype Lifecycle Public REST API — CycloneDX
  description: 'Sonatype Lifecycle Public REST API — CycloneDX. 2 operations. Lead operation: CycloneDX. Self-contained Naftiko
    capability covering one Sonatype business surface.'
  tags:
  - Sonatype
  - CycloneDX
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    SONATYPE_API_KEY: SONATYPE_API_KEY
capability:
  consumes:
  - type: http
    namespace: lifecycle-cyclonedx
    baseUri: ''
    description: Sonatype Lifecycle Public REST API — CycloneDX business capability. Self-contained, no shared references.
    resources:
    - name: api-v2-cycloneDx-cdxVersion-applicationId-reports-reportId
      path: /api/v2/cycloneDx/{cdxVersion}/{applicationId}/reports/{reportId}
      operations:
      - name: getbyreportid
        method: GET
        description: 'Use this method to generate a CycloneDX SBOM for an application.<p>Permissions Required: View IQ Elements'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: applicationId
          in: path
          type: string
          description: Enter the internal applicationId for the application you want to generate the SBOM. You can also retrieve
            the applicationId using the Application REST API.
          required: true
        - name: reportId
          in: path
          type: string
          description: Enter the reportId to generate the SBOM for the application for a specific scan report.
          required: true
        - name: cdxVersion
          in: path
          type: string
          description: Possible values are 1.1|1.2|1.3|1.4|1.5|1.6.
          required: true
    - name: api-v2-cycloneDx-cdxVersion-applicationId-stages-stageId
      path: /api/v2/cycloneDx/{cdxVersion}/{applicationId}/stages/{stageId}
      operations:
      - name: getlatest
        method: GET
        description: 'Use this method to generate a CycloneDX SBOM for an application.<p>Permissions Required: View IQ Elements'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: applicationId
          in: path
          type: string
          description: Enter the internal applicationId for the application you want to generate the SBOM. You can also retrieve
            the applicationId using the Application REST API.
          required: true
        - name: stageId
          in: path
          type: string
          description: Enter the stageId to generate the SBOM based on the latest application policy evaluation at that stage.
            Allowed values for stageId are 'develop', 'source', 'bui
          required: true
        - name: cdxVersion
          in: path
          type: string
          description: Possible values are 1.1|1.2|1.3|1.4|1.5|1.6.
          required: true
    authentication:
      type: bearer
      token: '{{env.SONATYPE_API_KEY}}'
  exposes:
  - type: rest
    namespace: lifecycle-cyclonedx-rest
    port: 8080
    description: REST adapter for Sonatype Lifecycle Public REST API — CycloneDX. One Spectral-compliant resource per consumed
      operation, prefixed with /v1.
    resources:
    - path: /v1/api/v2/cyclonedx/{cdxversion}/{applicationid}/reports/{reportid}
      name: api-v2-cyclonedx-cdxversion-applicationid-reports-reportid
      description: REST surface for api-v2-cycloneDx-cdxVersion-applicationId-reports-reportId.
      operations:
      - method: GET
        name: getbyreportid
        description: 'Use this method to generate a CycloneDX SBOM for an application.<p>Permissions Required: View IQ Elements'
        call: lifecycle-cyclonedx.getbyreportid
        with:
          applicationId: rest.applicationId
          reportId: rest.reportId
          cdxVersion: rest.cdxVersion
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v2/cyclonedx/{cdxversion}/{applicationid}/stages/{stageid}
      name: api-v2-cyclonedx-cdxversion-applicationid-stages-stageid
      description: REST surface for api-v2-cycloneDx-cdxVersion-applicationId-stages-stageId.
      operations:
      - method: GET
        name: getlatest
        description: 'Use this method to generate a CycloneDX SBOM for an application.<p>Permissions Required: View IQ Elements'
        call: lifecycle-cyclonedx.getlatest
        with:
          applicationId: rest.applicationId
          stageId: rest.stageId
          cdxVersion: rest.cdxVersion
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: lifecycle-cyclonedx-mcp
    port: 9090
    transport: http
    description: MCP adapter for Sonatype Lifecycle Public REST API — CycloneDX. One tool per consumed operation, routed inline
      through this capability's consumes block.
    tools:
    - name: use-this-method-generate-cyclonedx
      description: 'Use this method to generate a CycloneDX SBOM for an application.<p>Permissions Required: View IQ Elements'
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lifecycle-cyclonedx.getbyreportid
      with:
        applicationId: tools.applicationId
        reportId: tools.reportId
        cdxVersion: tools.cdxVersion
      outputParameters:
      - type: object
        mapping: $.
    - name: use-this-method-generate-cyclonedx-2
      description: 'Use this method to generate a CycloneDX SBOM for an application.<p>Permissions Required: View IQ Elements'
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lifecycle-cyclonedx.getlatest
      with:
        applicationId: tools.applicationId
        stageId: tools.stageId
        cdxVersion: tools.cdxVersion
      outputParameters:
      - type: object
        mapping: $.