30 lines
1.1 KiB
Markdown
30 lines
1.1 KiB
Markdown
# SBOM Projection Read API (LNM v1)
|
|
|
|
- **Endpoint:** `GET /sboms/{snapshotId}/projection?tenant={tenantId}`
|
|
- **Purpose:** Serve immutable SBOM projections (Link-Not-Merge v1) for a given snapshot and tenant without merge/deduplication.
|
|
- **Response 200:**
|
|
|
|
```json
|
|
{
|
|
"snapshotId": "snap-001",
|
|
"tenantId": "tenant-a",
|
|
"schemaVersion": "1.0.0",
|
|
"hash": "<sha256 of projection payload>",
|
|
"projection": { /* LNM v1 projection payload */ }
|
|
}
|
|
```
|
|
|
|
- **Errors:**
|
|
- 400 when `snapshotId` or `tenant` is missing or blank.
|
|
- 404 when no projection exists for the given snapshot/tenant.
|
|
|
|
- **Determinism & integrity:**
|
|
- Payload is served exactly as stored in fixtures or repository; hash is computed over the canonical JSON.
|
|
- No mutation/merge logic applied.
|
|
|
|
- **Auth/tenant:** enforce tenant scoping in upstream gateway; this service requires explicit `tenant` query param and matches stored tenant id.
|
|
|
|
- **Fixtures:** `docs/modules/sbomservice/fixtures/lnm-v1/projections.json` (hashes in `SHA256SUMS`).
|
|
|
|
- **Metrics:** TBD in observability doc; to be added when backed by persistent store.
|