Compare the license data found for a list of packages (given as PURL strings) with the contents of a configurable license policy,
returning information about license data which does not comply with the license allow list.
Example request body:
{
"components": [
{
"purl": "pkg:npm/[email protected]"
},
{
"purl": "pkg:npm/[email protected]"
}
],
"allow": [
"permissive",
"pkg:npm/lodash?file_name=foo/test/*&version_glob=4.17.*"
],
"warn": [
"copyleft",
"pkg:npm/lodash?file_name=foo/prod/*&version_glob=4.14.*"
],
"options": ["toplevelOnly"]
}
Return value
For each requested PURL, an array is returned. Each array contains a list of license policy violations
detected for the requested PURL.
Violations are accompanied by a string identifying the offending license data as spdxAtomOrExtraData,
a message describing why the license data is believed to be incompatible with the license policy, and a list
of locations (by filepath or other provenance information) where the offending license data may be found.
Array<
Array<{
purl: string,
spdxAtomOrExtraData: string,
violationExplanation: string,
filepathOrProvenance: Array<string>
level: "warning" | "violation"
}>
>
License policy schema
{
allow?: Array<string>
warn?: Array<string>
options?: Array<string>
}
Elements of the allow and warn arrays strings representing items which should be allowed, or which should trigger a warning; license data found in pacakge which not present in either array will produce a license violation (effectively a "hard" error). For example, to allow Apache-2.0 and MIT to the allow list, simply add the strings "Apache-2.0" and "MIT" to the allow array. Strings appearing in these arrays are generally "what you see is what you get", with two important exceptions: strings which are recognized as license classes and strings which are recognized as PURLs are handled differently to allow for more flexible license policy creation.
License Classes
Strings which are license classes will expand to a list of licenses known to be in that particular license class. Recognized license classes are:
'permissive',
'permissive (model)',
'permissive (gold)',
'permissive (silver)',
'permissive (bronze)',
'permissive (lead)',
'copyleft',
'maximal copyleft',
'network copyleft',
'strong copyleft',
'weak copyleft',
'contributor license agreement',
'public domain',
'proprietary free',
'source available',
'proprietary',
'commercial',
'patent'
Users can learn more about copyleft tiers and permissive tiers by reading the linked resources.
PURLs
Users may also modify their license policy's allow and warn lists by using package URLs (aka PURLs), which support glob patterns to allow a range of versions, files and directories, etc.
purl qualifiers which support globs are filename, version_glob, artifact_id and license_provenance (primarily used for allowing data from registry metadata).
Examples:
Allow all license data found in a specific version of a package 4.14.1: pkg:npm/[email protected]
Allow all license data found in a version range of a package: pkg:npm/lodash?version_glob=15.*
Allow all license data in the test directory of a given package for certain version ranges: pkg:npm/lodash@15.*.*?file_name=lodash/test/*
Allow all license data taken from the package registry for a package and version range: pkg:npm/lodash?version_glob=*&license_provenance=registry_metadata
Available options
toplevelOnly: only apply the license policy to "top level" license data in a package, which includes registry metadata, LICENSE files, and manifest files which are closest to the root of the package.
applyToUnidentified: Apply license policy to found but unidentified license data. If enabled, the license policy will be applied to license data which could not be affirmatively identified as a known license (this will effectively merge the license policy violation and unidentified license alerts). If disabled, license policy alerts will only be shown for license data which is positively identified as something not allowed or set to warn by the license policy.
This endpoint consumes 100 units of your quota.
This endpoint requires the following org token scopes:
- packages:list
- license-policy:read