add CycloneDX attestation export endpoint

[akshat4703]

Implements an API endpoint to export OpenCRE mapping results as CycloneDX attestation-compatible JSON.

Why

Issue #499 requests machine-readable export for downstream compliance, audit, and SBOM/attestation workflows.

Changes

• Added CycloneDX attestation export builder for OpenCRE mapping data.
• Added new REST endpoint to return CycloneDX-formatted payload.
• Added request validation and error handling for unsupported/invalid input.
• Added test coverage for:
  • successful export payload shape
  • empty/no-data behavior
  • invalid request handling
• Updated OpenAPI docs with the new endpoint and response schema.

Impact

• Enables automated integration with CycloneDX-aware tooling.
• Improves portability and interoperability of OpenCRE output.
• Provides a standards-based export format for enterprise/compliance use cases.

Validation

• Unit/API tests added and passing for endpoint behavior and schema shape.

[Copilot]

Pull request overview

Adds a CycloneDX attestation-compatible JSON export option to existing OpenCRE REST endpoints by extending the format query parameter and emitting CycloneDX BOM-shaped payloads for various document queries.

Changes:

• Extend supported response formats to include cyclonedx in OpenAPI and server-side format handling.
• Add CycloneDX BOM builder helpers and wire them into multiple REST endpoints (id, name, node lookup, tags, text search, root CREs).
• Add/extend unit tests to validate CycloneDX responses for selected endpoints.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

File	Description
docs/api/openapi.yaml	Adds cyclonedx to the allowed format query enum for several endpoints.
application/web/web_main.py	Implements CycloneDX BOM generation and returns it when format=cyclonedx is requested across multiple routes.
application/tests/web_main_test.py	Adds assertions for CycloneDX responses for /rest/v1/id/{creid} and /rest/v1/standard/{name}.

Comments suppressed due to low confidence (1)

application/web/web_main.py:21

• from application.utils import oscal_utils, redis is imported twice in this file, which is easy to miss now that new imports were added. Please remove the duplicate import to avoid confusion and keep the import section clean.

from application.utils import oscal_utils, redis

from rq import job, exceptions

from application.utils import spreadsheet_parsers
from application.utils import oscal_utils, redis

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

CycloneDX support was added to multiple endpoints (/rest/v1/tags, /rest/v1/text_search, /rest/v1/root_cres), but the new tests only exercise the id and standard routes. Since these new format=cyclonedx branches are separate code paths, please add assertions in the existing tests for these endpoints (or new tests) to cover the CycloneDX response shape and edge cases.

[akshat4703]

@copilot open a new pull request to apply changes based on this feedback

[akshat4703]

@copilot open a new pull request to apply changes based on the comments in this thread

[akshat4703]

@copilot open a new pull request to apply changes based on the comments in this thread