Compare the license data found for a list of packages (as PURL strings) with a configurable license allow list,
returning information about license data which does not comply with the license allow list.
Allow List Schema
{
allowedApprovalSources?: Array<"fsf" | "osi">,
allowedFamilies?: Array<"copyleft" | "permissive">,
allowedTiers?: Array<PermissiveTier | CopyleftTier>,
allowedStrings?: Array<string>
allowedPURLs?: Array<string>
focusAlertsHere?: boolean
}
where
PermissiveTier ::= "model permissive" | "gold" | "silver" | "bronze" | "lead"
CopyleftTier ::= "maximal copyleft" | "network copyleft" | "strong copyleft" | "weak copyleft"
readers can learn more about copyleft tiers and permissive tiers by reading the linked resources.
Return value
For each requested PURL, an array is returned. Each array contains a list of license policy violations
detected for the requested PURL.
Violations are accompanied by a string identifying the offending license data as spdxAtomOrExtraData,
a message describing why the license data is believed to be incompatible with the license policy, and a list
of locations (by filepath or other provenance information) where the offending license data may be found.
Array<
Array<{
purl: string,
spdxAtomOrExtraData: string,
violationExplanation: string,
filepathOrProvenance: Array<string>
}>
>
Example request bodies:
{
"components": [
{
"purl": "pkg:pypi/[email protected]?artifact_id=tar-gz"
},
{
"purl": "pkg:npm/[email protected]"
}
],
"license_allow_list": {
"allowedApprovalSources: ["fsf", "osi"],
"allowedFamilies": ["permissive"],
"allowedStrings": ["License :: OSI Approved :: BSD License", "UniqueLicense-2.0"]
}
}
This endpoint consumes 100 units of your quota.
This endpoint requires the following org token scopes:
- packages:list