License Legal REST API - Experimental
This REST API is liable to change in subsequent IQ Server releases.
The License Legal REST API was released in IQ Server release 103 as an Experimental API, it allows you to:
GET a License Legal Application Report
To get a License Legal Application Report you can issue a GET request to the following path
GET /api/experimental/licenseLegalMetadata/application/{applicationPublicId}For example, to get the license legal application report for an application with id "MyApp" you could issue this request
curl -u admin:admin123 http://localhost:8070/api/experimental/licenseLegalMetadata/application/MyApp
This cURL request will produce a JSON response of the following form
{
"components": [...],
"licenseLegalMetadata": [...]
}each component and license legal metadata element will be of the same form as shown in the example response for getting a License Legal Component Report.
GET a License Legal Component Report
To get a License Legal Component Report you can issue a GET request to the following path
GET /api/experimental/licenseLegalMetadata/{organization|application}/{ownerId}/component?{componentIdentifier|packageUrl|hash}=...The specified organization or application will determine the license overrides (if any). Note that the Root Organization can also be specified via the organization id ROOT_ORGANIZATION_ID .
For example, to get the license legal component report for an application with id "MyApp" and a component with coordinates "org.apache.httpcomponents : httpclient : 4.1" and hash "93cd011acb220de08b57" you could issue any one of these requests
curl -u admin:admin123 http://localhost:8070/api/experimental/licenseLegalMetadata/application/MyApp/component?componentIdentifier={%22format%22:%22maven%22,%22coordinates%22:{%22artifactId%22:%22httpclient%22,%22classifier%22:%22%22,%22extension%22:%22jar%22,%22groupId%22:%22org.apache.httpcomponents%22,%22version%22:%224.1%22}}curl -u admin:admin123 http://localhost:8070/api/experimental/licenseLegalMetadata/application/MyApp/component?packageUrl=pkg:maven/org.apache.httpcomponents/httpclient@4.1?type=jar
curl -u admin:admin123 http://localhost:8070/api/experimental/licenseLegalMetadata/application/MyApp/component?hash=93cd011acb220de08b57
Note that only one of componentIdentifier , packageUrl , or hash , must be specified.
There are also two optional parameters, identificationSource specifying the component identification source, and scanId specifying the id for the report where the component was identified. Note that the latter is only used with a third party identification source.
For example, to get the license legal component report for an application with id "MyApp" and a component with coordinates "debian-9 : glibc : 2.24-11+deb9u3" identified by a third party scan with id "1c0af74bbbb4474e8b4ac417f94d2692", you could issue this request
curl -u admin:admin123 http://localhost:8070/api/experimental/licenseLegalMetadata/application/MyApp/component?componentIdentifier={%22format%22:%22debian-9%22,%22coordinates%22:{%22name%22:%22glibc%22,%22version%22:%222.24-11+deb9u3%22}}&identificationSource=Clair&scanId=1c0af74bbbb4474e8b4ac417f94d2692The initial cURL request will produce a JSON response of the following form (note some data has been omitted and/or abbreviated for brevity)
{
"component": {
"packageUrl": "pkg:maven/org.apache.httpcomponents/httpclient@4.1?type=jar",
"hash": "93cd011acb220de08b57",
"componentIdentifier": {
"format": "maven",
"coordinates": {
"artifactId": "httpclient",
"classifier": "",
"extension": "jar",
"groupId": "org.apache.httpcomponents",
"version": "4.1"
}
},
"displayName": "httpclient",
"licenseLegalData": {
"declaredLicenses": [
"See-License-Clause",
"Apache-UNSPECIFIED"
],
"observedLicenses": [
"Apache-2.0"
],
"effectiveLicenses": [
"See-License-Clause",
"Apache-UNSPECIFIED",
"Apache-2.0"
],
"effectiveLicenseThreats": [
{
"licenseThreatGroupName": "Liberal",
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat"
},
{
"licenseThreatGroupName": "Non Standard",
"licenseThreatGroupLevel": 6,
"licenseThreatGroupCategory": "severe"
}
],
"copyrights": [
"copyright 1",
"copyright 2",
...
],
"licenseFiles": [
"license file 1 content",
"license file 2 content",
...
],
"noticeFiles": [
"notice file 1 content",
"notice file 2 content",
...
]
}
},
"licenseLegalMetadata": [
{
"licenseId": "Apache-UNSPECIFIED",
"licenseName": "Apache",
"licenseText": null,
"obligations": []
},
{
"licenseId": "Apache-2.0",
"licenseName": "Apache-2.0",
"licenseText": "license text content",
"obligations": [
{
"licenseObligationDTO": {
"name": "Must State Changes",
"obligationTexts": [
"You must cause any modified files to carry prominent notices stating that You changed the files;"
]
},
"licenseObligationStatus": 0
},
...
]
},
...
]
}| Item | Description |
|---|---|
| component | The component including its description and license legal metadata |
| packageUrl | The package URL or purl of the component |
| hash | The SHA-1 hash of the component truncated to 20 characters |
| componentIdentifier | The component identifier for the component including its format and coordinates |
| displayName | The display name for the component |
| licenseLegalData | The license legal data for the component including its licenses (declared, observed, effective), its effective license threats, its copyrights, and the content of its legal files (licenses and notices) |
| licenseLegalMetadata | The license legal metadata for the component including, for each of its effective licenses, the license id, the license name, the license text, and the license obligations |