DependencyTrack · sahibamittal · Mar 10, 2026 · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/api/src/main/openapi/components/schemas/component-project.yaml b/api/src/main/openapi/components/schemas/component-project.yaml
@@ -0,0 +1,27 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+properties:
+  name:
+    type: string
+    maxLength: 255
+  version:
+    type: string
+    maxLength: 255
+  uuid:
+    type: string
+    format: uuid
diff --git a/api/src/main/openapi/components/schemas/dependency-metrics.yaml b/api/src/main/openapi/components/schemas/dependency-metrics.yaml
@@ -0,0 +1,96 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+properties:
+  critical:
+    type: integer
+    format: int32
+  high:
+    type: integer
+    format: int32
+  medium:
+    type: integer
+    format: int32
+  low:
+    type: integer
+    format: int32
+  unassigned:
+    type: integer
+    format: int32
+  vulnerabilities:
+    type: integer
+    format: int32
+  suppressed:
+    type: integer
+    format: int32
+  inherited_risk_score:
+    type: number
+    format: double
+  findings_total:
+    type: integer
+    format: int32
+  findings_audited:
+    type: integer
+    format: int32
+  findings_unaudited:
+    type: integer
+    format: int32
+  policy_violations_fail:
+    type: integer
+    format: int32
+  policy_violations_warn:
+    type: integer
+    format: int32
+  policy_violations_info:
+    type: integer
+    format: int32
+  policy_violations_total:
+    type: integer
+    format: int32
+  policy_violations_audited:
+    type: integer
+    format: int32
+  policy_violations_unaudited:
+    type: integer
+    format: int32
+  policy_violations_security_total:
+    type: integer
+    format: int32
+  policy_violations_security_audited:
+    type: integer
+    format: int32
+  policy_violations_security_unaudited:
+    type: integer
+    format: int32
+  policy_violations_license_total:
+    type: integer
+    format: int32
+  policy_violations_license_audited:
+    type: integer
+    format: int32
+  policy_violations_license_unaudited:
+    type: integer
+    format: int32
+  policy_violations_operational_total:
+    type: integer
+    format: int32
+  policy_violations_operational_audited:
+    type: integer
+    format: int32
+  policy_violations_operational_unaudited:
+    type: integer
+    format: int32
diff --git a/api/src/main/openapi/components/schemas/list-components-response-item.yaml b/api/src/main/openapi/components/schemas/list-components-response-item.yaml
@@ -55,13 +55,13 @@ properties:
     maxLength: 255
   resolved_license:
     $ref: "./license.yaml"
-  occurrence_count:
-    type: integer
-    format: int64
-    minimum: 0
   last_inherited_risk_score:
     type: number
     format: double
   uuid:
     type: string
-    format: uuid
+    format: uuid
+  project:
+    $ref: "./component-project.yaml"
+  metrics:
+    $ref: "./dependency-metrics.yaml"
diff --git a/api/src/main/openapi/components/schemas/list-project-components-response-item.yaml b/api/src/main/openapi/components/schemas/list-project-components-response-item.yaml
@@ -0,0 +1,67 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+properties:
+  name:
+    type: string
+    maxLength: 255
+  version:
+    type: string
+    maxLength: 255
+  group:
+    type: string
+    maxLength: 255
+  classifier:
+    type: string
+    maxLength: 255
+  hashes:
+    $ref: "./hashes.yaml"
+  cpe:
+    type: string
+    maxLength: 255
+  purl:
+    type: string
+    maxLength: 1024
+  swid_tag_id:
+    type: string
+    maxLength: 255
+  internal:
+    type: boolean
+  copyright:
+    type: string
+    maxLength: 255
+  license:
+    type: string
+    maxLength: 255
+  license_expression:
+    type: string
+    maxLength: 255
+  license_url:
+    type: string
+    maxLength: 255
+  resolved_license:
+    $ref: "./license.yaml"
+  occurrence_count:
+    type: integer
+    format: int64
+    minimum: 0
+  last_inherited_risk_score:
+    type: number
+    format: double
+  uuid:
+    type: string
+    format: uuid
diff --git a/api/src/main/openapi/components/schemas/list-project-components-response.yaml b/api/src/main/openapi/components/schemas/list-project-components-response.yaml
@@ -0,0 +1,26 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+allOf:
+- $ref: "./paginated-response.yaml"
+properties:
+  items:
+    type: array
+    items:
+      $ref: "./list-project-components-response-item.yaml"
+required:
+- items
diff --git a/api/src/main/openapi/paths/components.yaml b/api/src/main/openapi/paths/components.yaml
@@ -43,5 +43,114 @@ post:
       $ref: "../components/responses/generic-forbidden-error.yaml"
     "409":
       $ref: "../components/responses/generic-conflict-error.yaml"
+    default:
+      $ref: "../components/responses/generic-error.yaml"
+
+get:
+  operationId: listComponents
+  summary: List all components
+  description: |-
+    Retrieves a list of all components that have the specified component identity. This resource accepts coordinates (group, name, version) or purl, cpe, or swidTagId.
+
+    ### Sortable fields
+
+    Sorting is supported for the following fields:
+
+    * `name`
+    * `version`
+    * `group`
+    * `purl`
+    * `cpe`
+    * `swid_tag_id`
+    * `last_inherited_risk_score`
+
+    Requires permission <strong>VIEW_PORTFOLIO</strong>
+  tags:
+    - Components
+  parameters:
+    - name: project_uuid
+      in: query
+      description: The UUID of the project to retrieve components for
+      schema:
+        type: string
+        format: uuid
+    - name: group
+      in: query
+      description: The group of the component
+      schema:
+        type: string
+    - name: name
+      in: query
+      description: The name of the component
+      schema:
+        type: string
+    - name: version
+      in: query
+      description: The version of the component
+      schema:
+        type: string
+    - name: purl
+      in: query
+      description: The PURL of the component
+      schema:
+        type: string
+    - name: cpe
+      in: query
+      description: The CPE of the component
+      schema:
+        type: string
+    - name: swid_tag_id
+      in: query
+      description: The SWID Tag ID of the component
+      schema:
+        type: string
+    - name: hash_type
+      in: query
+      description: The MD5, SHA1, SHA_256, SHA_384, SHA_512, SHA3_256, SHA3_384, SHA3_512, BLAKE2B_256, BLAKE2B_384, BLAKE2B_512, or BLAKE3 hash type of the component
+      schema:
+        type: string
+        enum:
+          - MD5
+          - SHA1
+          - SHA_256
+          - SHA_384
+          - SHA_512
+          - SHA3_256
+          - SHA3_384
+          - SHA3_512
+          - BLAKE2B_256
+          - BLAKE2B_384
+          - BLAKE2B_512
+          - BLAKE3
+    - name: hash
+      in: query
+      description: The hash value of the component
+      schema:
+        type: string
+    - $ref: "../components/parameters/pagination-limit.yaml"
+    - $ref: "../components/parameters/page-token.yaml"
+    - $ref: "../components/parameters/sort-direction.yaml"
+    - $ref: "../components/parameters/sort-by.yaml"
+  responses:
+    "200":
+      description: A list of all components for a given identity
+      content:
+        application/json:
+          schema:
+            $ref: "../components/schemas/list-components-response.yaml"
+    "400":
+      description: Bad Request
+      content:
+        application/problem+json:
+          schema:
+            anyOf:
+              - $ref: "../components/schemas/json-schema-validation-problem-details.yaml"
+              - $ref: "../components/schemas/problem-details.yaml"
+    "401":
+      $ref: "../components/responses/generic-unauthorized-error.yaml"
+    "403":
+      $ref: "../components/responses/generic-forbidden-error.yaml"
+    "404":
+      $ref: "../components/responses/generic-not-found-error.yaml"
     default:
       $ref: "../components/responses/generic-error.yaml"
diff --git a/api/src/main/openapi/paths/projects_uuid_components.yaml b/api/src/main/openapi/paths/projects_uuid_components.yaml
@@ -46,7 +46,7 @@ get:
       content:
         application/json:
           schema:
-            $ref: "../components/schemas/list-components-response.yaml"
+            $ref: "../components/schemas/list-project-components-response.yaml"
     "401":
       $ref: "../components/responses/generic-unauthorized-error.yaml"
     "403":