> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.
## Submitting Feedback
If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:
POST https://docs.endorlabs.com/feedback
```json
{
"path": "/api-reference/dependencymetadataservice/getdependencymetadata",
"feedback": "Description of the issue"
}
```
Only submit feedback when you have something specific and actionable to report.
# GetDependencyMetadata
> Returns a specified dependency metadata object.
## OpenAPI
````yaml /api-reference/openapi.v3.json get /v1/namespaces/{tenant_meta.namespace}/dependency-metadata/{uuid}
openapi: 3.0.3
info:
description: Integrate your application with Endor Labs using the REST API.
title: Endor Labs REST API Reference
version: '1.0'
servers:
- url: https://api.endorlabs.com/
security: []
tags:
- name: AISastCustomerContextService
- name: APIKeyService
- name: APIKeyValidatorService
- name: ArtifactSignatureService
- name: AuditLogService
- name: AuthenticationLogService
- name: AuthenticationService
- name: AuthorizationPolicyService
- name: BatchFileSegmentsService
- name: BatchNotificationService
- name: CallGraphDataService
- name: CodeOwnersService
- name: DependencyMetadataService
- name: EndorIgnoreEntryService
- name: ExporterService
- name: FindingLogService
- name: FindingService
- name: HuggingFaceModelService
- name: HuggingFaceOrganizationService
- name: IPAddressPolicyService
- name: IdentityProviderService
- name: InstallationService
- name: InvitationService
- name: LicenseDependencyService
- name: LicenseNoticesReportService
- name: LicenseSummaryService
- name: LinterResultService
- name: MalwareService
- name: MetricService
- name: NamespaceService
- name: NotificationService
- name: NotificationTargetService
- name: OnPremSchedulerService
- name: PRCommentConfigService
- name: PackageFirewallLogService
- name: PackageLicenseOverrideService
- name: PackageLicenseQueryService
- name: PackageLicenseService
- name: PackageManagerService
- name: PackageVersionService
- name: PluginBinaryService
- name: PolicyService
- name: PolicyTemplateService
- name: ProjectService
- name: ProvisioningResultService
- name: QueryMalwareService
- name: QueryService
- name: QuerySimilarPackagesService
- name: QueryVulnerabilityService
- name: RegistryIngestionCheckpointService
- name: RepositoryService
- name: RepositoryVersionService
- name: RuleSetImportService
- name: SBOMExportService
- name: SBOMImportService
- name: SCMCredentialService
- name: SavedQueryService
- name: ScanLogRequestService
- name: ScanProfileService
- name: ScanResultService
- name: ScanWorkflowResultService
- name: ScanWorkflowService
- name: SecretRuleService
- name: SemgrepRuleService
- name: SystemConfigService
- name: TenantService
- name: VEXExportService
- name: VectorStoreService
- name: VersionUpgradeService
- name: VulnerabilityService
paths:
/v1/namespaces/{tenant_meta.namespace}/dependency-metadata/{uuid}:
get:
tags:
- DependencyMetadataService
summary: GetDependencyMetadata
description: Returns a specified dependency metadata object.
operationId: DependencyMetadataService_GetDependencyMetadata
parameters:
- description: >-
Namespaces are a way to organize organizational units into virtual
groupings of resources. Namespaces must be a fully qualified name,
for example, the child namespace of namespace "endor.prod" called
"app"
is called "endor.prod.app".
in: path
name: tenant_meta.namespace
required: true
schema:
type: string
x-endor-name: Namespace
- description: The UUID of the requested resource.
in: path
name: uuid
required: true
schema:
type: string
- description: List of fields to return (all fields are returned by default).
in: query
name: get_parameters.mask
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/v1DependencyMetadata'
description: A successful response.
default:
content:
application/json:
schema:
$ref: '#/components/schemas/googlerpcStatus'
description: An unexpected error response.
components:
schemas:
v1DependencyMetadata:
description: >-
Information about the relationship between a root package version
(importer)
and one of its dependencies.
DependencyMetadata objects are children of the root PackageVersion
object and
belong to the same project and namespace as the root PackageVersion
object.
They are connected to the importer project through
spec.importer_data.project_uuid, and to the dependency project through
spec.dependency_data.project_uuid.
properties:
context:
$ref: '#/components/schemas/v1Context'
meta:
$ref: '#/components/schemas/v1Meta'
spec:
$ref: '#/components/schemas/v1DependencyMetadataSpec'
tenant_meta:
$ref: '#/components/schemas/v1TenantMeta'
uuid:
description: The UUID of the object.
readOnly: true
type: string
required:
- meta
- spec
- context
type: object
googlerpcStatus:
description: >-
The `Status` type defines a logical error model that is suitable for
different programming environments, including REST APIs and RPC APIs. It
is
used by [gRPC](https://github.com/grpc). Each `Status` message contains
three pieces of data: error code, error message, and error details.
You can find out more about this error model and how to work with it in
the
[API Design Guide](https://cloud.google.com/apis/design/errors).
properties:
code:
description: |-
The status code, which should be an enum value of
[google.rpc.Code][google.rpc.Code].
format: int32
type: integer
details:
description: >-
A list of messages that carry the error details. There is a common
set of
message types for APIs to use.
items:
$ref: '#/components/schemas/googleprotobufAny'
type: array
message:
description: >-
A developer-facing error message, which should be in English. Any
user-facing error message should be localized and sent in the
[google.rpc.Status.details][google.rpc.Status.details] field, or
localized
by the client.
type: string
type: object
v1Context:
description: Contexts keep objects from different scans separated.
properties:
id:
description: The context ID, such as a pull request ID or branch reference.
type: string
tags:
description: |-
A list of tags applied to a context. Used primarily for CI and SBOM
contexts.
items:
type: string
type: array
type:
$ref: '#/components/schemas/ContextContextType'
will_be_deleted_at:
description: |-
Time that all objects in this context will be deleted.
This field is deprecated and will be removed in the future.
Please use the meta.will_be_deleted_at field instead.
format: date-time
readOnly: true
type: string
required:
- type
- id
type: object
v1Meta:
description: Common fields for all Endor Labs resources.
properties:
annotations:
additionalProperties:
type: string
description: >-
Annotations can be used to attach metadata to a resource message.
Annotation values can be small or large, structured or unstructured,
and may include characters not permitted by labels.
The keys may contain alphanumerics, underscores (_), dots (.) and
dashes
(-). The values of an annotation must be 16384 bytes or smaller.
type: object
create_time:
description: |-
Time the resource was created.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
created_by:
description: |-
Name and authentication source of the user who created the object,
for example, ewok@endor.ai@google@api-key.
readOnly: true
type: string
description:
description: Resource description. Must be less than 1024 bytes.
type: string
index_data:
$ref: '#/components/schemas/v1IndexData'
kind:
description: >-
Resource kind, for example, HelloResponse.
Auto-generated using the protobuf message
proto.MessageName().Name().
readOnly: true
type: string
name:
description: Resource name. Must be 63 characters or less.
type: string
parent_kind:
description: Parent object resource kind, for example, Project.
type: string
parent_uuid:
description: Parent object UUID.
type: string
references:
additionalProperties:
$ref: '#/components/schemas/googleprotobufAny'
description: Map of objects referenced in a query API.
readOnly: true
type: object
tags:
description: >-
List of tags attached to the resource.
Tags can be used to select objects and to find collections of
objects that
satisfy certain conditions. A tag must be 255 characters or less.
items:
type: string
type: array
update_time:
description: |-
Time the resource was last updated.
Note: Updated on all create/patch/delete operations.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
updated_by:
description: >-
Name and authentication source of the last user who updated the
object,
for example, vulnerabilityingestor@endor.ai@x509.
readOnly: true
type: string
upsert_time:
description: |-
Time the resource was last upserted.
Note:
create_time is only set the first time the resource is created.
upsert_time is set every time the resource is upseted.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
version:
description: Message version.
readOnly: true
type: string
required:
- name
type: object
v1DependencyMetadataSpec:
description: DependencyMetadata specific data.
properties:
dependency_data:
$ref: '#/components/schemas/DependencyMetadataDependencyData'
importer_data:
$ref: '#/components/schemas/DependencyMetadataImporterData'
type: object
v1TenantMeta:
description: Tenant related data for the tenant containing the resource.
properties:
namespace:
description: >-
Namespaces are a way to organize organizational units into virtual
groupings of resources. Namespaces must be a fully qualified name,
for example, the child namespace of namespace "endor.prod" called
"app"
is called "endor.prod.app".
type: string
required:
- namespace
type: object
googleprotobufAny:
additionalProperties: {}
description: >-
`Any` contains an arbitrary serialized protocol buffer message along
with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form
of utility functions or additional generated methods of the Any type.
Example 1: Pack and unpack a message in C++.
Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
...
}
Example 2: Pack and unpack a message in Java.
Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
foo = any.unpack(Foo.getDefaultInstance());
}
Example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
any.Unpack(foo)
...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
...
}
The pack methods provided by protobuf library will by default use
'type.googleapis.com/full.type.name' as the type URL and the unpack
methods only use the fully qualified type name after the last '/'
in the type URL, for example "foo.bar.com/x/y.z" will yield type
name "y.z".
JSON
====
The JSON representation of an `Any` value uses the regular
representation of the deserialized, embedded message, with an
additional field `@type` which contains the type URL. Example:
package google.profile;
message Person {
string first_name = 1;
string last_name = 2;
}
{
"@type": "type.googleapis.com/google.profile.Person",
"firstName": ,
"lastName":
}
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
`value` which holds the custom JSON in addition to the `@type`
field. Example (for message [google.protobuf.Duration][]):
{
"@type": "type.googleapis.com/google.protobuf.Duration",
"value": "1.212s"
}
properties:
'@type':
description: >-
A URL/resource name that uniquely identifies the type of the
serialized
protocol buffer message. This string must contain at least
one "/" character. The last segment of the URL's path must represent
the fully qualified name of the type (as in
`path/google.protobuf.Duration`). The name should be in a canonical
form
(e.g., leading "." is not accepted).
In practice, teams usually precompile into the binary all types that
they
expect it to use in the context of Any. However, for URLs which use
the
scheme `http`, `https`, or no scheme, one can optionally set up a
type
server that maps type URLs to message definitions as follows:
* If no scheme is provided, `https` is assumed.
* An HTTP GET on the URL must yield a [google.protobuf.Type][]
value in binary format, or produce an error.
* Applications are allowed to cache lookup results based on the
URL, or have them precompiled into a binary to avoid any
lookup. Therefore, binary compatibility needs to be preserved
on changes to types. (Use versioned type names to manage
breaking changes.)
Note: this functionality is not currently available in the official
protobuf release, and it is not used for type URLs beginning with
type.googleapis.com. As of May 2023, there are no widely used type
server
implementations and no plans to implement one.
Schemes other than `http`, `https` (or the empty scheme) might be
used with implementation specific semantics.
type: string
type: object
ContextContextType:
default: CONTEXT_TYPE_UNSPECIFIED
description: |2-
- CONTEXT_TYPE_MAIN: Objects from a scan of the default branch.
All objects in the oss namespace are in the main context.
The context id is always "default".
- CONTEXT_TYPE_EXTERNAL: Indicates that this object is a copy/temporary value of an object in
another project. Used for same-tenant dependencies. In source code
reference this is equivalent to "vendor" folders. Package versions in
the external context are only scanned for call graphs. No other
operations are performed on them.
- CONTEXT_TYPE_CI_RUN: Objects from a PR scan. The context id is the PR UUID.
Objects in this context are deleted after 30 days.
- CONTEXT_TYPE_SBOM: Objects from an SBOM scan. The context id is the SBOM serial number or
some other unique identifier.
- CONTEXT_TYPE_REF: Objects from a scan of a specific branch. The context id is the branch
reference name.
enum:
- CONTEXT_TYPE_UNSPECIFIED
- CONTEXT_TYPE_MAIN
- CONTEXT_TYPE_EXTERNAL
- CONTEXT_TYPE_CI_RUN
- CONTEXT_TYPE_SBOM
- CONTEXT_TYPE_REF
type: string
v1IndexData:
description: |-
IndexData is used to index the resource for search. It's an internal
object.
properties:
data:
items:
type: string
readOnly: true
type: array
search_score:
description: >-
search_score is the score of the resource for search. Internal use
only.
format: float
readOnly: true
type: number
tenant:
readOnly: true
type: string
will_be_deleted_at:
description: Time that the resource will be deleted.
format: date-time
readOnly: true
type: string
type: object
DependencyMetadataDependencyData:
description: Information about the dependency.
properties:
abstract:
description: >-
True if the dependency is an abstract dependency, such as a
secondary Pom
file.
type: boolean
approximation:
description: >-
True if this is an approximate dependency based on unresolved
package
dependencies.
type: boolean
callgraph_available:
description: True if the call graph is available.
type: boolean
container_data:
$ref: '#/components/schemas/v1ContainerDependencyMetadata'
declared_licenses:
description: Declared license information for the dependency.
items:
$ref: '#/components/schemas/v1LicenseDependencyMetadata'
type: array
direct:
description: True if this is a direct dependency.
type: boolean
discovered_licenses:
description: Discovered license information for the dependency.
items:
$ref: '#/components/schemas/v1LicenseDependencyMetadata'
type: array
discovery_type:
$ref: '#/components/schemas/DependencyMetadataDiscoveryType'
ecosystem:
$ref: '#/components/schemas/v1Ecosystem'
eol:
description: Indicates whether the dependency is end of life.
type: boolean
eol_timestamp:
description: End of life timestamp for the dependency package version.
format: date-time
type: string
internal:
description: |-
True if the dependency is in the same namespace or, if the
namespace is oss, in the same project as the importer.
type: boolean
last_commit:
description: Date that the dependency was last modified.
format: date-time
type: string
missing:
description: True if the package version is missing for this dependency.
type: boolean
namespace:
description: Namespace to which the dependency package version object belongs.
type: string
orphan:
description: Deprecated.
type: boolean
package_name:
description: |-
Qualified dependency package name. Does not include the version.
For example, for go://package@v1.2.3 this is set to "go://package".
type: string
package_version_uuid:
description: the UUID of the dependency package version object.
type: string
parent_count:
description: Total number of direct parents in dependency graph.
format: int64
type: integer
parent_version_name:
description: >-
Fully qualified name of the direct parent of the dependency. For
example,
go://package@v1.2.3.
type: string
patched:
description: Indicates whether the dependency version was patched or not.
type: boolean
pinned:
description: True if the dependency is pinned.
type: boolean
project_paths:
description: |-
List of all project paths to this dependency from the root package
version (importer).
items:
$ref: '#/components/schemas/v1DependencyMetadataPath'
type: array
project_uuid:
description: The UUID of the project to which the dependency belongs.
type: string
public:
description: True if the dependency is public.
type: boolean
purl:
description: The purl for the dependency package version.
type: string
reachable:
$ref: '#/components/schemas/DependencyMetadataReachabilityType'
repo_name:
description: Name of the repository to which the dependency belongs.
type: string
resolved_version:
description: Resolved dependency package version. For example, "v2.0.0".
type: string
scope:
$ref: '#/components/schemas/v1DependencyScope'
unresolved_version:
description: Unresolved dependency package version string. For example, "v2.0.0".
type: string
utilization:
description: >-
Percent of the dependency used based on the call graph.
Implementation
pending.
format: float
type: number
vendored:
description: True if the dependency is a vendored dependency.
type: boolean
required:
- direct
type: object
DependencyMetadataImporterData:
description: |-
Information about the root package version (importer),
that imports the dependency in one or more versions,
either directly or indirectly.
properties:
callgraph_available:
description: True if the call graph is available for the root package version.
type: boolean
container_base_image:
$ref: '#/components/schemas/v1ContainerBaseImage'
package_name:
description: |-
Qualified package name of the root package version.
For example, for go://package@v1.2.3 this is set to "go://package".
type: string
package_version_name:
description: |-
Fully qualified name of the root package version. For example,
go://package@v1.2.3.
type: string
package_version_ref:
description: >-
Resolved ref of the source control version for the root package
version.
Can be a tag, a branch or a SHA.
type: string
package_version_sha:
description: |-
SHA of the source control version for the root package version.
Because the SHA might not be possible to resolved, this field is
optional.
type: string
package_version_uuid:
description: >-
The UUID of the importer package version object.
This is the same as the parent UUID of this object
(meta.parent_uuid).
type: string
project_uuid:
description: The UUID of the project to which the root package belongs.
type: string
version_name:
description: |-
Version number of the root package version.
For example, for go://package@v1.2.3 this is set to "v1.2.3".
type: string
required:
- project_uuid
- package_name
- package_version_uuid
- package_version_name
- package_version_ref
- callgraph_available
type: object
v1ContainerDependencyMetadata:
properties:
first_reachable_time:
description: >-
First time this dependency was determined to be reachable in an
application image.
format: date-time
type: string
last_reachable_time:
description: >-
Most recent time this dependency was determined to be reachable in
an application image.
format: date-time
type: string
layers:
description: >-
Layers of the container image where a dependency is found.
This is an optional field.
It is only set when target dependency is found via container image
scan.
items:
$ref: '#/components/schemas/v1ContainerLayerMetadata'
type: array
reachable_count:
description: >-
Number of times this dependency was determined to be reachable in an
application image.
This number is used for trending and it's not meant for exact usage
tracking.
format: uint64
type: string
runtime_files:
description: >-
Files accessed when a dependency is called at runtime in the
container image.
This is an optional field.
It is only set when the dependency is found to be used at runtime in
the container image.
items:
type: string
type: array
user_application_dependency:
description: Set to true if this is a user application dependency.
type: boolean
type: object
v1LicenseDependencyMetadata:
description: LicenseDependencyMetadata contains license information for a dependency.
properties:
category:
description: License category (e.g. "Restricted").
type: string
spdx_id:
description: SPDX license identifier (e.g. "Apache-2.0").
type: string
type:
description: License classification (based on licenseclassifier by Google).
type: string
type: object
DependencyMetadataDiscoveryType:
default: DISCOVERY_TYPE_UNSPECIFIED
description: |2-
- DISCOVERY_TYPE_MANIFEST: Dependency was discovered through a manifest file.
- DISCOVERY_TYPE_PHANTOM: Dependency was discovered through phantom dependency / imported
dependency analysis.
- DISCOVERY_TYPE_SEGMENT_MATCH: Dependency was discovered via code segment match.
enum:
- DISCOVERY_TYPE_UNSPECIFIED
- DISCOVERY_TYPE_MANIFEST
- DISCOVERY_TYPE_PHANTOM
- DISCOVERY_TYPE_SEGMENT_MATCH
type: string
v1Ecosystem:
default: ECOSYSTEM_UNSPECIFIED
description: >2-
- ECOSYSTEM_GO: GoLang.
- ECOSYSTEM_MAVEN: Maven.
- ECOSYSTEM_PYPI: Python.
- ECOSYSTEM_CARGO: Rust.
- ECOSYSTEM_NPM: Javascript.
- ECOSYSTEM_GEM: Ruby.
- ECOSYSTEM_NUGET: Dotnet.
- ECOSYSTEM_PACKAGIST: PHP.
- ECOSYSTEM_SBOM: SBOMs.
- ECOSYSTEM_RPM: RPM.
- ECOSYSTEM_DEBIAN: Debian.
- ECOSYSTEM_GITHUB_ACTION: GitHub Actions.
- ECOSYSTEM_COCOAPOD: Cocoapods.
- ECOSYSTEM_APK: APK (alpine et.al).
- ECOSYSTEM_CONTAINER: Containers.
- ECOSYSTEM_HUGGING_FACE: Hugging Face.
- ECOSYSTEM_C: C/C++.
- ECOSYSTEM_GIT: ecosystem GIT for GIT repository dependencies.
This can be used for package name of the resolved dependencies when a
given repository has dependencies to other GIT repositories. Currently
we
use this to represent vulnerabilities for the given GIT repository. ex:
git submodules, C/C++ dependencies.
- ECOSYSTEM_AI_MODEL: AI models.
- ECOSYSTEM_SWIFT: Ecosystem Swift consists of native Swift packages, which are defined
using the Package.swift manifest file and managed by the Swift Package
Manager. There is a separate ecosystem for Cocoapod packages called
ECOSYSTEM_COCOAPOD, which is an alternative package manager for Swift
packages.
- ECOSYSTEM_CONAN: Ecosystem Conan for C/C++ packages managed by the Conan 2.x package manager.
enum:
- ECOSYSTEM_UNSPECIFIED
- ECOSYSTEM_GO
- ECOSYSTEM_MAVEN
- ECOSYSTEM_PYPI
- ECOSYSTEM_CARGO
- ECOSYSTEM_NPM
- ECOSYSTEM_GEM
- ECOSYSTEM_NUGET
- ECOSYSTEM_PACKAGIST
- ECOSYSTEM_SBOM
- ECOSYSTEM_RPM
- ECOSYSTEM_DEBIAN
- ECOSYSTEM_GITHUB_ACTION
- ECOSYSTEM_COCOAPOD
- ECOSYSTEM_APK
- ECOSYSTEM_CONTAINER
- ECOSYSTEM_HUGGING_FACE
- ECOSYSTEM_C
- ECOSYSTEM_GIT
- ECOSYSTEM_AI_MODEL
- ECOSYSTEM_SWIFT
- ECOSYSTEM_CONAN
type: string
v1DependencyMetadataPath:
description: List of nodes in a dependency path.
properties:
nodes:
description: List of nodes in a dependency path.
items:
type: string
type: array
type: object
DependencyMetadataReachabilityType:
default: REACHABILITY_TYPE_UNSPECIFIED
description: |2-
- REACHABILITY_TYPE_REACHABLE: Call graph analysis determined that the dependency is likely reachable.
- REACHABILITY_TYPE_UNREACHABLE: Call graph analysis determined that the dependency is likely not
reachable.
- REACHABILITY_TYPE_UNKNOWN: Not enough information to perform reachability analysis.
enum:
- REACHABILITY_TYPE_UNSPECIFIED
- REACHABILITY_TYPE_REACHABLE
- REACHABILITY_TYPE_UNREACHABLE
- REACHABILITY_TYPE_UNKNOWN
type: string
v1DependencyScope:
default: DEPENDENCY_SCOPE_UNSPECIFIED
description: |2-
- DEPENDENCY_SCOPE_UNSPECIFIED: Dependency scope is undefined.
- DEPENDENCY_SCOPE_TEST: Dependency is only used for testing.
- DEPENDENCY_SCOPE_BUILD: Dependency is only used for building the package.
- DEPENDENCY_SCOPE_NORMAL: Dependency is used in normal, non-test, code.
enum:
- DEPENDENCY_SCOPE_UNSPECIFIED
- DEPENDENCY_SCOPE_TEST
- DEPENDENCY_SCOPE_BUILD
- DEPENDENCY_SCOPE_NORMAL
type: string
v1ContainerBaseImage:
description: The base image of a container Image.
properties:
chain_id:
description: Chain ID for the base image's layers.
type: string
digest:
description: The SHA256 digest of the base image.
type: string
name:
description: The name of the base image. For example, "debian:bookworm-slim".
type: string
type: object
v1ContainerLayerMetadata:
properties:
base_layer:
description: Set to true if this is the base image layer.
type: boolean
digest:
description: The SHA256 digest of the container image layer.
type: string
file_locations:
description: >-
File locations on the container file system that reference the
dependency.
items:
type: string
type: array
required:
- digest
type: object
````