Compare the license data found for a list of packages (as PURL strings) with a configurable license allow list,
returning information about license data which does not comply with the license allow list.

Allow List Schema

{
  allowedApprovalSources?: Array<"fsf" | "osi">,
  allowedFamilies?: Array<"copyleft" | "permissive">,
  allowedTiers?: Array<PermissiveTier | CopyleftTier>,
  allowedStrings?: Array<string>
  allowedPURLs?: Array<string>
  focusAlertsHere?: boolean
}

where

PermissiveTier ::= "model permissive" | "gold" | "silver" | "bronze" | "lead"
CopyleftTier ::= "maximal copyleft" | "network copyleft" | "strong copyleft" | "weak copyleft"

readers can learn more about copyleft tiers and permissive tiers by reading the linked resources.

Return value

For each requested PURL, an array is returned. Each array contains a list of license policy violations
detected for the requested PURL.

Violations are accompanied by a string identifying the offending license data as spdxAtomOrExtraData,
a message describing why the license data is believed to be incompatible with the license policy, and a list
of locations (by filepath or other provenance information) where the offending license data may be found.

Array<
  Array<{
    purl: string,
    spdxAtomOrExtraData: string,
    violationExplanation: string,
    filepathOrProvenance: Array<string>
  }>
>

Example request bodies:

{
  "components": [
    {
      "purl": "pkg:pypi/[email protected]?artifact_id=tar-gz"
    },
    {
      "purl": "pkg:npm/[email protected]"
    }
  ],
  "license_allow_list": {
    "allowedApprovalSources: ["fsf", "osi"],
    "allowedFamilies": ["permissive"],
    "allowedStrings": ["License :: OSI Approved :: BSD License", "UniqueLicense-2.0"]
  }
}

This endpoint consumes 100 units of your quota.

This endpoint requires the following org token scopes:

  • packages:list
Language
Authorization
Basic
base64
:
Click Try It! to start a request and see the response here!