> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.
## Submitting Feedback
If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:
POST https://docs.endorlabs.com/feedback
```json
{
"path": "/api-reference/packagelicensequeryservice/createpackagelicensequery",
"feedback": "Description of the issue"
}
```
Only submit feedback when you have something specific and actionable to report.
# CreatePackageLicenseQuery
> Creates a query to fetch merged license data (PackageLicense + PackageLicenseOverride) for a package version from all the namespaces in the namespace chain.
This is the primary API for the Edit Dependency UI page.
The response combines:
- Original licenses/copyrights/notices from PackageLicense (fetched from OSS namespace).
- Any overrides from PackageLicenseOverride (fetched from user namespace).
- Selection states for each item (defaults to selected if not in selection map).
## OpenAPI
````yaml /api-reference/openapi.v3.json post /v1/namespaces/{tenant_meta.namespace}/queries/package-license-queries
openapi: 3.0.3
info:
description: Integrate your application with Endor Labs using the REST API.
title: Endor Labs REST API Reference
version: '1.0'
servers:
- url: https://api.endorlabs.com/
security: []
tags:
- name: AISastCustomerContextService
- name: APIKeyService
- name: APIKeyValidatorService
- name: ArtifactSignatureService
- name: AuditLogService
- name: AuthenticationLogService
- name: AuthenticationService
- name: AuthorizationPolicyService
- name: BatchFileSegmentsService
- name: BatchNotificationService
- name: CallGraphDataService
- name: CodeOwnersService
- name: DependencyMetadataService
- name: EndorIgnoreEntryService
- name: ExporterService
- name: FindingLogService
- name: FindingService
- name: HuggingFaceModelService
- name: HuggingFaceOrganizationService
- name: IPAddressPolicyService
- name: IdentityProviderService
- name: InstallationService
- name: InvitationService
- name: LicenseDependencyService
- name: LicenseNoticesReportService
- name: LicenseSummaryService
- name: LinterResultService
- name: MalwareService
- name: MetricService
- name: NamespaceService
- name: NotificationService
- name: NotificationTargetService
- name: OnPremSchedulerService
- name: PRCommentConfigService
- name: PackageFirewallLogService
- name: PackageLicenseOverrideService
- name: PackageLicenseQueryService
- name: PackageLicenseService
- name: PackageManagerService
- name: PackageVersionService
- name: PluginBinaryService
- name: PolicyService
- name: PolicyTemplateService
- name: ProjectService
- name: ProvisioningResultService
- name: QueryMalwareService
- name: QueryService
- name: QuerySimilarPackagesService
- name: QueryVulnerabilityService
- name: RegistryIngestionCheckpointService
- name: RepositoryService
- name: RepositoryVersionService
- name: RuleSetImportService
- name: SBOMExportService
- name: SBOMImportService
- name: SCMCredentialService
- name: SavedQueryService
- name: ScanLogRequestService
- name: ScanProfileService
- name: ScanResultService
- name: ScanWorkflowResultService
- name: ScanWorkflowService
- name: SecretRuleService
- name: SemgrepRuleService
- name: SystemConfigService
- name: TenantService
- name: VEXExportService
- name: VectorStoreService
- name: VersionUpgradeService
- name: VulnerabilityService
paths:
/v1/namespaces/{tenant_meta.namespace}/queries/package-license-queries:
post:
tags:
- PackageLicenseQueryService
summary: CreatePackageLicenseQuery
description: >-
Creates a query to fetch merged license data (PackageLicense +
PackageLicenseOverride) for a package version from all the namespaces in
the namespace chain.
This is the primary API for the Edit Dependency UI page.
The response combines:
- Original licenses/copyrights/notices from PackageLicense (fetched from OSS namespace).
- Any overrides from PackageLicenseOverride (fetched from user namespace).
- Selection states for each item (defaults to selected if not in selection map).
operationId: PackageLicenseQueryService_CreatePackageLicenseQuery
parameters:
- description: >-
Namespaces are a way to organize organizational units into virtual
groupings of resources. Namespaces must be a fully qualified name,
for example, the child namespace of namespace "endor.prod" called
"app"
is called "endor.prod.app".
in: path
name: tenant_meta.namespace
required: true
schema:
type: string
x-endor-name: Namespace
requestBody:
content:
application/json:
schema:
$ref: >-
#/components/schemas/PackageLicenseQueryServiceCreatePackageLicenseQueryBody
required: true
x-originalParamName: body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/v1PackageLicenseQuery'
description: A successful response.
default:
content:
application/json:
schema:
$ref: '#/components/schemas/googlerpcStatus'
description: An unexpected error response.
components:
schemas:
PackageLicenseQueryServiceCreatePackageLicenseQueryBody:
description: >-
PackageLicenseQuery represents the merged result of PackageLicense +
PackageLicenseOverride.
This response combines original license data from PackageLicense with
any overrides and
selection states from PackageLicenseOverride across all namespaces in
the namespace chain,
providing a complete view for the UI.
properties:
meta:
$ref: '#/components/schemas/v1Meta'
spec:
$ref: '#/components/schemas/v1PackageLicenseQuerySpec'
tenant_meta:
title: tenant metadata
type: object
uuid:
description: The uuid of the resource.
readOnly: true
type: string
type: object
v1PackageLicenseQuery:
description: >-
PackageLicenseQuery represents the merged result of PackageLicense +
PackageLicenseOverride.
This response combines original license data from PackageLicense with
any overrides and
selection states from PackageLicenseOverride across all namespaces in
the namespace chain,
providing a complete view for the UI.
properties:
meta:
$ref: '#/components/schemas/v1Meta'
spec:
$ref: '#/components/schemas/v1PackageLicenseQuerySpec'
tenant_meta:
$ref: '#/components/schemas/v1TenantMeta'
uuid:
description: The uuid of the resource.
readOnly: true
type: string
type: object
googlerpcStatus:
description: >-
The `Status` type defines a logical error model that is suitable for
different programming environments, including REST APIs and RPC APIs. It
is
used by [gRPC](https://github.com/grpc). Each `Status` message contains
three pieces of data: error code, error message, and error details.
You can find out more about this error model and how to work with it in
the
[API Design Guide](https://cloud.google.com/apis/design/errors).
properties:
code:
description: |-
The status code, which should be an enum value of
[google.rpc.Code][google.rpc.Code].
format: int32
type: integer
details:
description: >-
A list of messages that carry the error details. There is a common
set of
message types for APIs to use.
items:
$ref: '#/components/schemas/googleprotobufAny'
type: array
message:
description: >-
A developer-facing error message, which should be in English. Any
user-facing error message should be localized and sent in the
[google.rpc.Status.details][google.rpc.Status.details] field, or
localized
by the client.
type: string
type: object
v1Meta:
description: Common fields for all Endor Labs resources.
properties:
annotations:
additionalProperties:
type: string
description: >-
Annotations can be used to attach metadata to a resource message.
Annotation values can be small or large, structured or unstructured,
and may include characters not permitted by labels.
The keys may contain alphanumerics, underscores (_), dots (.) and
dashes
(-). The values of an annotation must be 16384 bytes or smaller.
type: object
create_time:
description: |-
Time the resource was created.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
created_by:
description: |-
Name and authentication source of the user who created the object,
for example, ewok@endor.ai@google@api-key.
readOnly: true
type: string
description:
description: Resource description. Must be less than 1024 bytes.
type: string
index_data:
$ref: '#/components/schemas/v1IndexData'
kind:
description: >-
Resource kind, for example, HelloResponse.
Auto-generated using the protobuf message
proto.MessageName().Name().
readOnly: true
type: string
name:
description: Resource name. Must be 63 characters or less.
type: string
parent_kind:
description: Parent object resource kind, for example, Project.
type: string
parent_uuid:
description: Parent object UUID.
type: string
references:
additionalProperties:
$ref: '#/components/schemas/googleprotobufAny'
description: Map of objects referenced in a query API.
readOnly: true
type: object
tags:
description: >-
List of tags attached to the resource.
Tags can be used to select objects and to find collections of
objects that
satisfy certain conditions. A tag must be 255 characters or less.
items:
type: string
type: array
update_time:
description: |-
Time the resource was last updated.
Note: Updated on all create/patch/delete operations.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
updated_by:
description: >-
Name and authentication source of the last user who updated the
object,
for example, vulnerabilityingestor@endor.ai@x509.
readOnly: true
type: string
upsert_time:
description: |-
Time the resource was last upserted.
Note:
create_time is only set the first time the resource is created.
upsert_time is set every time the resource is upseted.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
version:
description: Message version.
readOnly: true
type: string
required:
- name
type: object
v1PackageLicenseQuerySpec:
properties:
applied_overrides:
items:
$ref: '#/components/schemas/PackageLicenseQueryAppliedOverride'
readOnly: true
type: array
copyrights:
description: >-
Merged copyright entries (combines original + overrides).
Each entry includes the copyright text, selection state, and edit
status.
items:
$ref: '#/components/schemas/PackageLicenseQueryMergedCopyrightEntry'
readOnly: true
type: array
licenses:
description: >-
Merged license entries (combines original + overrides).
Each entry includes the license data, selection state, and edit
status.
items:
$ref: '#/components/schemas/PackageLicenseQueryMergedLicenseEntry'
readOnly: true
type: array
notices:
description: >-
Merged notice entries (combines original + overrides).
Each entry includes the notice text, selection state, and edit
status.
items:
$ref: '#/components/schemas/PackageLicenseQueryMergedNoticeEntry'
readOnly: true
type: array
package_license_name:
description: >-
Name of the base PackageLicense to use. If not given, then we use
package_version_uuid.
type: string
package_version_uuid:
description: UUID of the package version this data is for.
type: string
required:
- package_version_uuid
type: object
v1TenantMeta:
description: Tenant related data for the tenant containing the resource.
properties:
namespace:
description: >-
Namespaces are a way to organize organizational units into virtual
groupings of resources. Namespaces must be a fully qualified name,
for example, the child namespace of namespace "endor.prod" called
"app"
is called "endor.prod.app".
type: string
required:
- namespace
type: object
googleprotobufAny:
additionalProperties: {}
description: >-
`Any` contains an arbitrary serialized protocol buffer message along
with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form
of utility functions or additional generated methods of the Any type.
Example 1: Pack and unpack a message in C++.
Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
...
}
Example 2: Pack and unpack a message in Java.
Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
foo = any.unpack(Foo.getDefaultInstance());
}
Example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
any.Unpack(foo)
...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
...
}
The pack methods provided by protobuf library will by default use
'type.googleapis.com/full.type.name' as the type URL and the unpack
methods only use the fully qualified type name after the last '/'
in the type URL, for example "foo.bar.com/x/y.z" will yield type
name "y.z".
JSON
====
The JSON representation of an `Any` value uses the regular
representation of the deserialized, embedded message, with an
additional field `@type` which contains the type URL. Example:
package google.profile;
message Person {
string first_name = 1;
string last_name = 2;
}
{
"@type": "type.googleapis.com/google.profile.Person",
"firstName": ,
"lastName":
}
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
`value` which holds the custom JSON in addition to the `@type`
field. Example (for message [google.protobuf.Duration][]):
{
"@type": "type.googleapis.com/google.protobuf.Duration",
"value": "1.212s"
}
properties:
'@type':
description: >-
A URL/resource name that uniquely identifies the type of the
serialized
protocol buffer message. This string must contain at least
one "/" character. The last segment of the URL's path must represent
the fully qualified name of the type (as in
`path/google.protobuf.Duration`). The name should be in a canonical
form
(e.g., leading "." is not accepted).
In practice, teams usually precompile into the binary all types that
they
expect it to use in the context of Any. However, for URLs which use
the
scheme `http`, `https`, or no scheme, one can optionally set up a
type
server that maps type URLs to message definitions as follows:
* If no scheme is provided, `https` is assumed.
* An HTTP GET on the URL must yield a [google.protobuf.Type][]
value in binary format, or produce an error.
* Applications are allowed to cache lookup results based on the
URL, or have them precompiled into a binary to avoid any
lookup. Therefore, binary compatibility needs to be preserved
on changes to types. (Use versioned type names to manage
breaking changes.)
Note: this functionality is not currently available in the official
protobuf release, and it is not used for type URLs beginning with
type.googleapis.com. As of May 2023, there are no widely used type
server
implementations and no plans to implement one.
Schemes other than `http`, `https` (or the empty scheme) might be
used with implementation specific semantics.
type: string
type: object
v1IndexData:
description: |-
IndexData is used to index the resource for search. It's an internal
object.
properties:
data:
items:
type: string
readOnly: true
type: array
search_score:
description: >-
search_score is the score of the resource for search. Internal use
only.
format: float
readOnly: true
type: number
tenant:
readOnly: true
type: string
will_be_deleted_at:
description: Time that the resource will be deleted.
format: date-time
readOnly: true
type: string
type: object
PackageLicenseQueryAppliedOverride:
description: >-
All overrides that contributed to the final result, ordered root ->
target.
properties:
namespace:
description: Namespace where the contributing override resides.
type: string
override_uuid:
description: UUID of the contributing PackageLicenseOverride in that namespace.
type: string
type: object
PackageLicenseQueryMergedCopyrightEntry:
description: >-
MergedCopyrightEntry represents a single copyright with override and
selection state.
properties:
copyright_text:
description: >-
The copyright text (from override if edited, otherwise from
original).
This is the actual copyright text that will be used.
readOnly: true
type: string
file_locations:
description: >-
File locations where the copyright was found (from override if
edited, otherwise from original).
items:
$ref: '#/components/schemas/v1LicenseFileLocation'
readOnly: true
type: array
identifier:
description: >-
Stable identifier/key for this copyright (file path from
PackageLicense.spec.copyrights map or generated UUID for new
copyrights).
This identifier is used as the key in copyright_overrides and
deselected_copyrights maps.
For copyrights from PackageLicense: uses the file path key from
PackageLicense.spec.copyrights map.
For new copyrights added by user: uses generated UUID prefixed with
"new-".
To determine if a copyright is new: check if identifier starts with
"new-" or does not exist in original PackageLicense.
readOnly: true
type: string
is_edited:
description: >-
Whether this copyright has been edited/overridden.
true = copyright text has been modified from original, false = using
original copyright text.
Can be derived by checking if identifier exists in
copyright_overrides map.
readOnly: true
type: boolean
resolved_namespace:
description: Origin of the effective value for this entry.
readOnly: true
type: string
resolved_override_uuid:
readOnly: true
type: string
selected:
description: >-
Whether this copyright is selected for inclusion in notice file.
true = selected (will be included), false = deselected (will be
excluded).
Defaults to true if not present in deselected_copyrights map.
readOnly: true
type: boolean
type: object
PackageLicenseQueryMergedLicenseEntry:
description: >-
MergedLicenseEntry represents a single license with override and
selection state.
properties:
file_locations:
description: >-
File locations where the license was found (from override if edited,
otherwise from original).
items:
$ref: '#/components/schemas/v1LicenseFileLocation'
readOnly: true
type: array
identifier:
description: >-
Stable identifier for this license (hash calculated from normalized
license text).
This identifier is used as the key in license_overrides and
deselected_licenses maps.
For licenses from PackageLicense: uses PackageLicenseInfo.hash.
For new licenses added by user: hash is calculated from license_text
using SHA256(MakeLicenseKey(normalized_text)).
To determine if a license is new: check if identifier does not exist
in original PackageLicense.
readOnly: true
type: string
is_edited:
description: >-
Whether this license has been edited/overridden.
true = license text has been modified from original, false = using
original license text.
Can be derived by checking if identifier exists in license_overrides
map.
readOnly: true
type: boolean
license_text:
description: >-
Effective license text resolved after applying propagation across
the namespace chain.
readOnly: true
type: string
resolved_namespace:
description: >-
Origin of the effective value for this entry.
If no override is applied, resolved_namespace will typically be
"oss" and
resolved_override_uuid will be empty.
readOnly: true
type: string
resolved_override_uuid:
readOnly: true
type: string
selected:
description: >-
Whether this license is selected for inclusion in notice file.
true = selected (will be included), false = deselected (will be
excluded).
Defaults to true if not present in deselected_licenses map.
readOnly: true
type: boolean
source:
description: >-
Source of the original license (e.g., "code", "package_manager",
"declared").
Helps identify which category the license belongs to.
readOnly: true
type: string
spdx_expr:
description: SPDX expression for the license.
readOnly: true
type: string
type: object
PackageLicenseQueryMergedNoticeEntry:
description: >-
MergedNoticeEntry represents a single notice with override and selection
state.
properties:
file_locations:
description: >-
File locations where the notice was found (from override if edited,
otherwise from original).
items:
$ref: '#/components/schemas/v1LicenseFileLocation'
readOnly: true
type: array
identifier:
description: >-
Stable identifier for this notice (hash calculated from normalized
notice text, or generated UUID for new notices).
This identifier is used as the key in notice_overrides and
deselected_notices maps.
For notices from PackageLicense: uses hash or composite identifier
from original.
For new notices added by user: hash is calculated from notices_text
using SHA256(MakeLicenseKey(normalized_text)).
To determine if a notice is new: check if identifier does not exist
in original PackageLicense.
readOnly: true
type: string
is_edited:
description: >-
Whether this notice has been edited/overridden.
true = notice text has been modified from original, false = using
original notice text.
Can be derived by checking if identifier exists in notice_overrides
map.
readOnly: true
type: boolean
notices_text:
description: |-
The notice text (from override if edited, otherwise from original).
This is the actual notice text that will be used.
readOnly: true
type: string
resolved_namespace:
description: Origin of the effective value for this entry.
readOnly: true
type: string
resolved_override_uuid:
readOnly: true
type: string
selected:
description: >-
Whether this notice is selected for inclusion in notice file.
true = selected (will be included), false = deselected (will be
excluded).
Defaults to true if not present in deselected_notices map.
readOnly: true
type: boolean
type: object
v1LicenseFileLocation:
description: >-
LicenseFileLocation represents the location of a license, copyright, or
notice in source files.
properties:
end_byte:
description: The end byte of the license/copyright/notice in the file.
format: int32
type: integer
end_line:
description: The end line of the license/copyright/notice in the file.
format: int32
type: integer
relative_path:
description: >-
The relative path to the file where the license/copyright/notice was
found.
type: string
start_byte:
description: The start byte of the license/copyright/notice in the file.
format: int32
type: integer
start_line:
description: The start line of the license/copyright/notice in the file.
format: int32
type: integer
type: object
````