API Deployment
API Deployment
Section titled “API Deployment”The CBOM API is a Spring Boot application that handles asset ingestion, risk classification, compliance evaluation, CycloneDX export, and user authentication. It runs on port 9090 by default.
Environment Variables
Section titled “Environment Variables”Create a .env file from the template:
cd cbom/apicp .env.template .env| Variable | Description | Default |
|---|---|---|
CBOM_PORT | API server port | 9090 |
MONGODB_URI | MongoDB connection string | mongodb://localhost:27017/cbom |
CBOM_JWT_SECRET | JWT signing secret (min 32 chars) | Dev default (change in prod) |
CBOM_JWT_EXPIRATION_HOURS | Token expiration | 24 |
CBOM_CORS_ORIGINS | Allowed CORS origins (comma-separated) | http://localhost:4200,http://localhost:9090 |
CBOM_SMTP_HOST | SMTP server for alert emails | smtp.gmail.com |
CBOM_SMTP_PORT | SMTP port | 587 |
CBOM_SMTP_USERNAME | SMTP username | — |
CBOM_SMTP_PASSWORD | SMTP password | — |
CBOM_ALERT_EMAIL_ENABLED | Enable email alerts | false |
CBOM_ALERT_EMAIL_TO | Alert recipient email | — |
Running
Section titled “Running”Development
Section titled “Development”cd cbom/apimvn spring-boot:runThe dev profile enables:
- CORS for
localhost:4200(Angular dev server) - Swagger UI at
/swagger-ui.html - API docs at
/api-docs
Production
Section titled “Production”java -jar cbom-api.jar --spring.profiles.active=prodThe prod profile enables:
- Embedded Angular UI (served from classpath
/static/) - CORS disabled (same-origin)
- Response compression (HTML, CSS, JS, JSON)
- Static resource caching (1 year max-age)
Spring Profiles
Section titled “Spring Profiles”| Profile | Use Case |
|---|---|
dev (default) | Local development, CORS enabled, Swagger enabled |
prod | Production, embedded UI, compression, no CORS |
MongoDB Setup
Section titled “MongoDB Setup”The API connects to MongoDB using the MONGODB_URI environment variable.
# Docker (development)docker run -d \ --name cbom-mongo \ -p 27017:27017 \ -v cbom-data:/data/db \ mongo:7
# Connection string for replica set (production)MONGODB_URI=mongodb://user:pass@host1:27017,host2:27017/cbom?replicaSet=rs0&authSource=adminThe API auto-creates the cbom database and crypto_assets collection with required indexes on first startup.
API Endpoints
Section titled “API Endpoints”Key endpoint groups:
| Path | Purpose |
|---|---|
POST /api/ingest | Sensor asset ingestion |
GET /api/assets | Query crypto assets |
GET /api/analytics/* | Dashboard analytics |
GET /api/export/cyclonedx | CycloneDX v1.6 export |
GET /api/bom-link/* | BOM-Link URN operations |
GET /api/relationships/* | Asset relationship queries |
POST /api/attestations/* | Compliance attestations |
GET /api/sensors | Sensor management |
GET /api/schedules | Scan schedules |
GET /api/alerts | Alert management |
POST /api/auth/* | Authentication (login, register) |
GET /api/settings | Platform settings |
GET /api/quantum-risk/rules | Risk classification rules |
Full API documentation available at /swagger-ui.html when running in dev mode.
Health Check
Section titled “Health Check”curl http://localhost:9090/actuator/healthRelated
Section titled “Related”- Architecture — How the API fits in the system
- Sensor Deployment — Configure sensors to push to this API
- UI Deployment — Frontend setup