Transitive Waivers REST API
Transitive Violations
A transitive policy violation is a violation in the report that is brought in by a transitive dependency.
Following APIs provide a way of getting and waiving transitive violations of a component in a specific stage (e.g. Build, Stage Release, and Release) or scan.
Get Transitive Violations by Stage ID
This API allows getting all the transitive violations for a given component from the latest stage report(s) at the given scope.
Request
GET api/v2/policyViolations/transitive/{ownerType: application|organization}/{ownerId}/stages/{stage}?componentIdentifier={componentIdentifier}&packageUrl={packageUrl}&hash={hash}Here is a description of the properties of the request:
Property | Description |
|---|---|
ownerType | Scope (application, organization, or root organization) |
ownerId | Public ID of the owner |
stage | Stage ID |
componentIdentifier* | Component Identifier of the component |
packageUrl* | Package Url of the Component |
hash* | Hash of the component |
Note
Only one of componentIdentifier or packageUrl or hash is required. If multiple are supplied we favor them in the order specified here.
Note
The Owner ID can be obtained by Application REST API.
Assuming a local installation of IQ Server with its default configuration, the following example using the cURL tool finds the transitive policy violations for a component using its packageUrl:
curl -u admin:admin123 --request GET 'http://localhost:8070/api/v2/policyViolations/transitive/application/npm/stages/build?packageUrl=pkg:npm/%40iarna/cli@1.2.0'
The server returns the list of transitive policy violations related to the component. A sample response would be as follows:
{
"componentIdentifier": {
"format": "npm",
"coordinates": {
"packageId": "@iarna/cli",
"version": "1.2.0"
}
},
"packageUrl": "pkg:npm/%40iarna/cli@1.2.0",
"hash": "0f7af5e851afe8951045",
"displayName": "@iarna/cli : 1.2.0",
"isInnerSource": false,
"transitivePolicyViolations": [
{
"policyId": "1df00277de9041a29f0f4b2537b0501e",
"policyName": "Architecture-Quality",
"threatLevel": 1,
"threatCategory": "quality",
"policyViolationId": "3063a76f84624e12bb715f0b8ae1c824",
"componentIdentifier": {
"format": "npm",
"coordinates": {
"packageId": "get-caller-file",
"version": "1.0.2"
}
},
"packageUrl": "pkg:npm/get-caller-file@1.0.2",
"hash": "f702e63127e7e231c160",
"displayName": "get-caller-file : 1.0.2"
},
{
"policyId": "1df00277de9041a29f0f4b2537b0501e",
"policyName": "Architecture-Quality",
"threatLevel": 1,
"threatCategory": "quality",
"policyViolationId": "3038a9231ba847658a319690fe3dabbf",
"componentIdentifier": {
"format": "npm",
"coordinates": {
"packageId": "y18n",
"version": "3.2.1"
}
},
"packageUrl": "pkg:npm/y18n@3.2.1",
"hash": "6d15fba884c08679c0d7",
"displayName": "y18n : 3.2.1"
}
]
}Get Transitive Violations by Report ID
This API allows getting all the transitive violations for a given component in a specific scan.
Request
GET api/v2/policyViolations/transitive/{ownerType:application}/{ownerId}/{reportId}?componentIdentifier={componentIdentifier}&packageUrl={packageUrl}&hash={hash}Here is a description of the properties of the request:
Property | Description |
|---|---|
ownerType | Scope (application) |
ownerId | Public ID of the owner |
reportId | Report ID |
componentIdentifier* | Component Identifier of the component |
packageUrl* | Package Url of the Component |
hash* | Hash of the component |
Note
Only one of componentIdentifier or packageUrl or hash is required. If multiple are supplied we favor them in the order specified here.
Note
The Owner ID can be obtained by Application REST API and the Report ID by Report Related REST API.
Assuming a local installation of IQ Server with its default configuration, the following example using the cURL tool finds the transitive policy violations for a component using its packageUrl:
curl -u admin:admin123 --request GET 'http://localhost:8070/api/v2/policyViolations/transitive/application/npm/df7d9a3b7fd044809ec032e464c54541?packageUrl=pkg:npm/%40iarna/cli@1.2.0'
The server returns the list of transitive policy violations related to the component. A sample response would be as follows:
{
"componentIdentifier": {
"format": "npm",
"coordinates": {
"packageId": "@iarna/cli",
"version": "1.2.0"
}
},
"packageUrl": "pkg:npm/%40iarna/cli@1.2.0",
"hash": "0f7af5e851afe8951045",
"displayName": "@iarna/cli : 1.2.0",
"isInnerSource": false,
"transitivePolicyViolations": [
{
"policyId": "1df00277de9041a29f0f4b2537b0501e",
"policyName": "Architecture-Quality",
"threatLevel": 1,
"threatCategory": "quality",
"policyViolationId": "3063a76f84624e12bb715f0b8ae1c824",
"componentIdentifier": {
"format": "npm",
"coordinates": {
"packageId": "get-caller-file",
"version": "1.0.2"
}
},
"packageUrl": "pkg:npm/get-caller-file@1.0.2",
"hash": "f702e63127e7e231c160",
"displayName": "get-caller-file : 1.0.2"
},
{
"policyId": "1df00277de9041a29f0f4b2537b0501e",
"policyName": "Architecture-Quality",
"threatLevel": 1,
"threatCategory": "quality",
"policyViolationId": "3038a9231ba847658a319690fe3dabbf",
"componentIdentifier": {
"format": "npm",
"coordinates": {
"packageId": "y18n",
"version": "3.2.1"
}
},
"packageUrl": "pkg:npm/y18n@3.2.1",
"hash": "6d15fba884c08679c0d7",
"displayName": "y18n : 3.2.1"
}
]
}Group Waiving Transitive Violations for a given component in a scan
This API allows group waiving of all transitive violations for a given component in a specific scan.
Request
POST api/v2/policyWaivers/transitive/{ownerType:application}/{ownerId}/{reportId}?componentIdentifier={componentIdentifier}&packageUrl={packageUrl}&hash={hash}Here is a description of the properties of the request:
Property | Description |
|---|---|
ownerType | Scope (application) |
ownerId | Public ID of the owner |
reportId | Report ID |
componentIdentifier* | Component Identifier of the component |
packageUrl* | Package Url of the Component |
hash* | Hash of the component |
Note
Only one of componentIdentifier or packageUrl or hash is required. If multiple are supplied we favor them in the order specified here.
Note
The Owner ID can be obtained by Application REST API and the Report ID by Report Related REST API.
With the POST request, you will need to provide the waiving details in the payload.
{
"expiryTime" : "2021-06-30T00:00:00.000+0000" ,
"comment" : "Test Comment"
}Both expiryTime and comment are optional, if expiryTime is not set it means the waiver will never expire.
Assuming a local installation of IQ Server with its default configuration, the following example using the cURL tool waives the transitive policy violations for a component in a scan using its packageUrl:
curl -u admin:admin123 --request POST 'http://localhost:8070/api/v2/policyWaivers/transitive/application/npm/df7d9a3b7fd044809ec032e464c54541?packageUrl=pkg:npm/%40iarna/cli@1.2.0' --header 'Content-Type: application/json' --data-raw '{"expiryTime": "2021-06-30T00:00:00.000+0000","comment" :"Test Comment"}'Response
The server will respond with a 204 status upon success.
Group Waiving Transitive Violations for a given component in a specific stage
This API allows group waiving of all transitive violations for a given component from the latest stage report(s) at the given scope.
Request
POST api/v2/policyWaivers/transitive/{ownerType:application|organization}/{ownerId}/stages/{stageId}?componentIdentifier={componentIdentifier}&packageUrl={packageUrl}&hash={hash}Here is a description of the properties of the request:
Property | Description |
|---|---|
ownerType | Scope (application, organization, or root organization) |
ownerId | Public ID of the owner |
stage | Stage ID |
componentIdentifier* | Component Identifier of the component |
packageUrl* | Package Url of the Component |
hash* | Hash of the component |
Note
Only one of componentIdentifier or packageUrl or hash is required. If multiple are supplied we favor them in the order specified here.
Note
The Owner ID can be obtained by Application REST API.
With the POST request, you will need to provide the waiving details in the payload.
{
"expiryTime" : "2021-06-30T00:00:00.000+0000" ,
"comment" : "Test Comment"
}Both expiryTime and comment are optional, ifexpiryTimeis not set it means the waiver will never expire.
Assuming a local installation of IQ Server with its default configuration, the following example using the cURL tool waives the transitive policy violations for a component using its packageUrl:
curl -u admin:admin123 --request POST 'http://localhost:8070/api/v2/policyWaivers/transitive/application/npm/stages/build?packageUrl=pkg:npm/%40iarna/cli@1.2.0' --header 'Content-Type: application/json' --data-raw '{"expiryTime": "2021-06-30T00:00:00.000+0000","comment" :"Test Comment"}'Response
The server will respond with a 204 status upon success.