Skip to main content
Here is an overview diagram of the Endor Labs data model for the most commonly used resource kinds. Lighter shading identifies the objects that are re-computed on every scan. data model This section describes the most commonly used resource kinds. For a complete list of supported resource kinds, see the Endor Labs OpenAPI documentation. All objects contain a reference to the project UUID, either as the parent object (meta.parent_uuid) or a specific field in the object-specific data if the project is not the direct parent (spec.project_uuid if not specified otherwise). Use the following command to get a list of all objects of a given resource kind in your tenant. Here are a few useful options:
  • --count
  • --page-size=1
  • --list-all
  • --filter="meta.parent_uuid==<uuid>"
  • --filter="spec.project_uuid==<uuid>"
endorctl api list -r <resource-kind>

Project

  • This is the logical root of all the other information for a given project.
  • Contains information about the source code location of a project, such as a Git repository, or a package manager package name.
  • Does not have a parent and is not associated with a context.
  • The object name is the HTTP clone URL, for example: "https://github.com/definitelytyped/definitelytyped.git".
For more information, see the ProjectService REST API documentation.

Repository

  • Contains information about the source code for a project.
  • Child of a Project and, just like the Project, does not belong to a context.
  • There is at most one Repository per Project, but a Project may not have a Repository if there is no source code.
  • The object name is the same as the Project.
For more information, see the RepositoryService REST API documentation.

RepositoryVersion

  • Contains information about a specific version of a Repository.
  • Has the Project as the parent.
  • There are often multiple RepositoryVersions per project.
  • Each RepositoryVersion is associated with a Context.
  • The object name is the corresponding branch name, tag, or SHA, for example: "main".
For more information, see the RepositoryVersionService REST API documentation.

PackageVersion

  • Contains information about a specific version of a package and its dependencies.
  • Does not have a parent (for historical reasons), but is associated with a Context and connected to the Project via spec.project_uuid.
  • The object name is the corresponding package version name in the format <ecosystem>://<package-name>@<version>, for example: "mvn://org.webjars.npm:types__json-schema@1.2.3".
For more information, see the PackageVersionService REST API documentation.

Resolution errors

Details about any dependency resolution or call graph generation errors for a package version are stored in spec.resolution_errors. There are three categories of resolution errors, each with a separate field that can contain up to one resolution error:
  1. Unresolved - Details in spec.resolution_errors.unresolved if there was an error computing the unresolved dependencies.
  2. Resolved - Details in spec.resolution_errors.resolved if there was an error resolving the dependency versions.
  3. Call graph - Details in spec.resolution_errors.call_graph if there was an error generating the call graph.
Each resolution error has a status_error field and may also contain details about the target, the operation that failed, and a description of the error. The following status errors are supported: Below is an example resolution error in the Resolved category: 
{
  "spec": {
    "resolution_errors": {
      "resolved": {
        "description": "failed to discover dependency: unable to resolve dependencies for 'requirements': unable to get direct dependencies: unable to install modules to extract dependencies: unable to resolve package version: ResolveModuleVersion: error in pypi json api for: torch, exact version: 1.9.0+cpu, err: package not found in the repository: unable to resolve dependency version: unable to discover dependencies, unable to discover dependencies",
        "operation": "python:resolvedDependencies:discover",
        "status_error": "STATUS_ERROR_DEPENDENCY",
        "target": "pypi://requirements@main"
      }
    }
  }
}

DependencyMetadata

  • Different from other common resource kinds as it represents the relationship between two PackageVersions: The importer and the dependency.
  • There is one DependencyMetadata object for every dependency for every PackageVersion.
  • Has the importer PackageVersion as the parent and exists in the same Namespace and Context as the parent.
  • The object name is the same as the dependency PackageVersion.
  • Combine the object name (meta.name) and the parent UUID (meta.parent_uuid) to get a unique key.
  • Connected to the Project via spec.importer_data.project_uuid.
  • Details about the relationship are stored in spec.dependency_data. For example:
    • spec.dependency_data.direct
    • spec.dependency_data.reachable
    • spec.dependency_data.scope
For more information, see the DependencyMetadataService REST API documentation.

LinterResult

  • Contains the results of scans using third-party programs such as Gitleaks or Semgrep.
  • Has a RepositoryVersion or PackageVersion as the parent.
  • Belongs to the same Context as the parent.
  • Connected to the Project through spec.project_uuid.
  • The object name is the name of the rule that created the result, for example: "gen-shady-links".
  • The result origin is stored in spec.origin, for example: "LINTER_RESULT_ORIGIN_SECRETS_SCANNER".
For more information, see the LinterResultService REST API documentation.

Metric

  • Contains the output of the analytics processing.
  • Has a PackageVersion, RepositoryVersion, or Repository as the parent.
  • Belongs to the same Context as the parent.
  • Connected to the Project via spec.project_uuid.
  • The object name is the name of the analytic that created the metric, for example: "package_version_scorecard".
For more information, see the MetricService REST API documentation.

Metric types

There are many different types of Metrics. The specifics are stored under spec.metric_values.<key>.<value>, for example: spec.metric_values.scorefactor.score_factor_list. Some Metrics have more than one key-value field under spec.metric_values. The following table lists all supported Metric types along with the corresponding paths to the Metric specific data under spec.metric_values.

Finding

  • Contains details of a problem that needs to be fixed.
  • Has a PackageVersion, RepositoryVersion, or Repository as the parent.
  • Belongs to the same Context as the parent.
  • Connected to the Project via spec.project_uuid.
  • There are many different types of Findings and new types can be created by custom Finding Policies.
  • The object name is the Finding type, for example: "outdated_release". For more information, see Finding names and metadata below.
  • The object description contains a more specific description of the Finding, for example: "Outdated Dependency @babel/plugin-syntax-async-generators@7.8.4".
  • Additional finding type specific data is stored in spec.finding_metadata, for example: spec.finding_metadata.vulnerability.
  • PackageVersion Findings often involve both the root PackageVersion and a dependency PackageVersion. The following details about the dependency PackageVersion are available directly in the Finding object:
    • spec.target_dependency_name, for example: "@babel/plugin-syntax-async-generators"
    • spec.target_dependency_package_name, for example: "npm://@babel/plugin-syntax-async-generators@7.8.4"
    • spec.target_dependency_version, for example: "7.8.4"
    • spec.finding_metadata.dependency_package_version_metadata
  • The UUID of the DependencyMetadata for the dependency is stored in spec.target_uuid.
  • There is one Finding object for every PackageVersion that includes a dependency with a given problem. If 10 PackageVersions include a dependency with a vulnerability then there will be 10 findings for the vulnerability.
For more information, see the FindingService REST API documentation.

Finding names and metadata

The following table lists all supported values for the Finding meta.name field along with an example value for the corresponding meta.description and an explanation.

Finding categories

The following finding categories are supported as possible values in the spec.finding_categories list. All findings must have at least one category.

Finding tags

The following system defined finding tags are supported as possible values in the spec.finding_tags list and referred to as “attributes” in the Endor Labs user interface. These are different from the free-form custom tags that are stored in the Meta field.

Exceptions

A finding can be exempt from triggering action policies (such as admission and notification policies) if it is matched and marked as dismissed by an exception policy. Exception policies allow you to set any criteria you want to mark findings as dismissed. You can apply an exception policy across all projects, a sub-set of projects, or a specific project, within a tenant. Based on the criteria you set, the exception can persist across multiple package versions. Findings dismissed by one or more exception policies have the spec.dismiss field set to true and the corresponding policy object UUIDs are listed under the spec.exceptions.policy_uuids field. They also carry the FINDING_TAGS_EXCEPTION tag.

Action policies

Findings matched by one or more action policies (a.k.a. admission and notification policies) contain the corresponding policy object UUIDs in spec.actions.policy_uuids. They also carry a tag corresponding to the specific action, for example, FINDING_TAGS_CI_WARNING, FINDING_TAGS_CI_BLOCKER, or FINDING_TAGS_NOTIFICATION.

ScanResult

  • Contains details of a scan such as:
    • Configuration
    • Host environment details
    • Runtime statistics
    • Findings
    • Policies triggered
    • Error logs
    • Exit code
    • Scan status
  • Has the Project as the parent.
  • Belongs to the same Context as the scan.
For more information, see the ScanResultService REST API documentation.

Scan status

The following scan statuses are supported: