License Legal REST API - Experimental

NEW IN RELEASE 103

This REST API is liable to change in subsequent IQ Server releases.

The License Legal REST API was released in IQ Server release 103 as an Experimental API, it allows you to:

GET a License Legal Application Report

To get a License Legal Application Report you can issue a GET request to the following path

GET /api/experimental/licenseLegalMetadata/application/{applicationPublicId}

For example, to get the license legal application report for an application with id "MyApp" you could issue this request

curl -u admin:admin123 http://localhost:8070/api/experimental/licenseLegalMetadata/application/MyApp

This cURL request will produce a JSON response of the following form

{
	"components": [...],
	"licenseLegalMetadata": [...]
}

each component and license legal metadata element will be of the same form as shown in the example response for getting a License Legal Component Report.

GET a License Legal Component Report

To get a License Legal Component Report you can issue a GET request to the following path

GET /api/experimental/licenseLegalMetadata/{organization|application}/{ownerId}/component?{componentIdentifier|packageUrl|hash}=...

The specified organization or application will determine the license overrides (if any). Note that the Root Organization can also be specified via the organization id ROOT_ORGANIZATION_ID .

For example, to get the license legal component report for an application with id "MyApp" and a component with coordinates "org.apache.httpcomponents : httpclient : 4.1" and hash "93cd011acb220de08b57" you could issue any one of these requests

curl -u admin:admin123 http://localhost:8070/api/experimental/licenseLegalMetadata/application/MyApp/component?componentIdentifier={%22format%22:%22maven%22,%22coordinates%22:{%22artifactId%22:%22httpclient%22,%22classifier%22:%22%22,%22extension%22:%22jar%22,%22groupId%22:%22org.apache.httpcomponents%22,%22version%22:%224.1%22}}
curl -u admin:admin123 http://localhost:8070/api/experimental/licenseLegalMetadata/application/MyApp/component?packageUrl=pkg:maven/org.apache.httpcomponents/httpclient@4.1?type=jar
curl -u admin:admin123 http://localhost:8070/api/experimental/licenseLegalMetadata/application/MyApp/component?hash=93cd011acb220de08b57

Note that only one of componentIdentifier , packageUrl , or hash , must be specified.

There are also two optional parameters, identificationSource  specifying the component identification source, and scanId  specifying the id for the report where the component was identified. Note that the latter is only used with a third party identification source.

For example, to get the license legal component report for an application with id "MyApp" and a component with coordinates "debian-9 : glibc : 2.24-11+deb9u3" identified by a third party scan with id "1c0af74bbbb4474e8b4ac417f94d2692", you could issue this request

curl -u admin:admin123 http://localhost:8070/api/experimental/licenseLegalMetadata/application/MyApp/component?componentIdentifier={%22format%22:%22debian-9%22,%22coordinates%22:{%22name%22:%22glibc%22,%22version%22:%222.24-11+deb9u3%22}}&identificationSource=Clair&scanId=1c0af74bbbb4474e8b4ac417f94d2692

The initial cURL request will produce a JSON response of the following form (note some data has been omitted and/or abbreviated for brevity)

{
	"component": {
		"packageUrl": "pkg:maven/org.apache.httpcomponents/httpclient@4.1?type=jar",
		"hash": "93cd011acb220de08b57",
		"componentIdentifier": {
			"format": "maven",
			"coordinates": {
				"artifactId": "httpclient",
				"classifier": "",
				"extension": "jar",
				"groupId": "org.apache.httpcomponents",
				"version": "4.1"
			}
		},
		"displayName": "httpclient",
		"licenseLegalData": {
			"declaredLicenses": [
				"See-License-Clause",
				"Apache-UNSPECIFIED"
			],
			"observedLicenses": [
				"Apache-2.0"
			],
			"effectiveLicenses": [
				"See-License-Clause",
				"Apache-UNSPECIFIED",
				"Apache-2.0"
			],
			"effectiveLicenseThreats": [
				{
					"licenseThreatGroupName": "Liberal",
					"licenseThreatGroupLevel": 0,
					"licenseThreatGroupCategory": "no-threat"
				},
				{
					"licenseThreatGroupName": "Non Standard",
					"licenseThreatGroupLevel": 6,
					"licenseThreatGroupCategory": "severe"
				}
			],
			"copyrights": [
				"copyright 1",
				"copyright 2",
				...
			],
			"licenseFiles": [
				"license file 1 content",
				"license file 2 content",
				...
			],
			"noticeFiles": [
				"notice file 1 content",
				"notice file 2 content",
				...
			]
		}
	},
	"licenseLegalMetadata": [
		{
			"licenseId": "Apache-UNSPECIFIED",
			"licenseName": "Apache",
			"licenseText": null,
			"obligations": []
		},
		{
			"licenseId": "Apache-2.0",
			"licenseName": "Apache-2.0",
			"licenseText": "license text content",
			"obligations": [
				{
					"licenseObligationDTO": {
						"name": "Must State Changes",
						"obligationTexts": [
							"You must cause any modified files to carry prominent notices stating that You changed the files;"
						]
					},
					"licenseObligationStatus": 0
				},
				...
			]
		},
		...
	]
}
ItemDescription
componentThe component including its description and license legal metadata
packageUrlThe package URL or purl of the component
hashThe SHA-1 hash of the component truncated to 20 characters
componentIdentifierThe component identifier for the component including its format and coordinates
displayNameThe display name for the component
licenseLegalDataThe license legal data for the component including its licenses (declared, observed, effective), its effective license threats, its copyrights, and the content of its legal files (licenses and notices)
licenseLegalMetadataThe license legal metadata for the component including, for each of its effective licenses, the license id, the license name, the license text, and the license obligations