Get Issues
https://app.fossa.com/api/v2/issuesRetrieve multiple issues
Query parameters
csvbooleanRetrieves issues as a CSV
includeDirectDependencyOriginPathsbooleanInclude origin paths for the direct dependency responsible for including the revision(s) affected by this issue
categoryenumrequiredIssue category
licensingvulnerabilityqualitystatusenumIssue status
activeignoredscope[type]enumrequiredScope of issues to view / update
globalprojectreleaseGroupscope[id]stringProject or release group ID (required when scope[type] is "project" or "releaseGroup")
scope[revision]stringRevision ID (when scope[type] is "project")
scope[revisionScanId]integer <int32>Revision scan ID (when scope[type] is "project")
scope[release]stringRelease group ID (when scope[type] is "releaseGroup")
scope[releaseScanId]stringRelease scan ID (when scope[type] is "releaseGroup")
scope[compareTo][revision]stringThe revision ID to compare issues with. Only available for Project Scope.
scope[compareTo][changeStatus]enumThe status of issues to fetch when comparing issues. - New issues are present in the current revision but not in the comparison revision. - Remediated issues are present in the comparison revision but not in the current revision. - Unchanged issues are present in both revisions. Only available for Project Scope.
newremediatedunchangedids[]integer[]Filter by specific issue IDs
filter[revisionIds][]string[]Filter by specific revision IDs
filter[search]stringFilter by package name or CVE (when category is "vulnerability")
filter[depths][]enum[]Filter by issue depth
filter[ticketed][]enum[]Filter by ticketed status. Only available to premium users.
filter[containerLayers][]enum[]Filter by container layer
filter[type][]enum[]Filter by licensing issue type (when category is "licensing") or quality issue type (when category is "quality")
filter[packageManagers][]string[]Filter by specific package managers
filter[cwes][]string[]Filter by specific CWE identifiers
filter[projectLabels][]string[]Filter by specific project labels
filter[identification][]enum[]Filter by license identification (when category is "licensing")
filter[severity][]enum[]Filter by vuln severity (when category is "vulnerability")
filter[severitySource][]enum[]Filter by severity source (when category is "vulnerability"). Use 'standard' to filter by CVSS score, 'custom' to filter by custom risk score. When both are provided, issues matching either source are returned. Defaults to 'standard' when not provided. Custom risk score filtering is not available for global scope.
filter[foundBefore]string <date-time>Include only issues found on before a given ISO timestamp. Only available to premium users
filter[foundAfter]string <date-time>Include only issues found on after a given ISO timestamp. Only available to premium users
filter[hasFix][]enum[]Filter by vuln fixability (when category is "vulnerability")
filter[upgradeDistance][]enum[]Filter by vuln upgrade distance (when category is "vulnerability")
filter[exploitMaturity][]enum[]Filter by vuln exploit maturity (when category is "vulnerability")
filter[ignoreReason][]enum[]Filter by vuln ignore reason (when category is "vulnerability") This value appears in the vulnerabilities.analysis.detail field in CycloneDX SBOM reports
filter[epss]objectFilter by epss 'score' or 'percentile'. All fields are required. Only available to premium users.
filter[confidence][]enum[]Filter issues by their binary dependency confidence level(s)
filter[issueSource][]enum[]Filter by issue source. Use 'dependency' and 'snippet' to filter by whether the issue comes from a dependency or a code snippet. When the vendored dependency detection feature is enabled, use 'managed-dependency' and 'vendored-dependency' to filter dependency issues by whether the dependency is managed or vendored.
filter[cvssAttackVector][]enum[]Filter by CVSS attack vector (when category is "vulnerability")
filter[cvssAttackComplexity][]enum[]Filter by CVSS attack complexity (when category is "vulnerability"). For CVSS v4, this includes the Attack Requirements (AT) metric.
filter[cvssPrivilegesRequired][]enum[]Filter by CVSS privileges required (when category is "vulnerability")
sortenumSort by package name, when the issue was created, or severity (when category is "vulnerability")
package_ascpackage_desccreated_at_asccreated_at_descseverity_ascseverity_descepss_ascepss_descpageintegerThe specific page of data to return
countintegerThe number of items to return in each page of results
teamIdstring | string[] | enumFilter issues by one or more team IDs. Accepts a single team ID, an array of team IDs, or the literal string `"null"` to scope to unassigned projects. Requires the `View` permission on each requested team; otherwise the request is rejected with a `403`. Ignored for organizations on the free tier.
emailbooleanOnly applies when `csv=true`. When provided, the CSV report is generated as a background task and emailed to the requesting user once ready; the response is then a `201` with the task metadata. When omitted, the CSV is streamed directly in the response.
Responses
200Vulnerability, licensing, or quality issues response. When `csv=true` (without `email`), the CSV report is streamed as an attachment with content type `text/csv`.
issuesobject[]201Returned when `csv=true` and `email=true`. The CSV report is generated as a background task and emailed to the requesting user once ready; the response body is the queued task's metadata.
idintegerUnique identifier for the task
taskstringName of the task being run
jobTokenstringToken used to poll for the task's status and result
statusenumCurrent status of the task
CREATEDASSIGNEDRUNNINGSUCCEEDEDFAILEDattempt_numberintegerNumber of times the task has been attempted
maxRetriesinteger | nullMaximum number of retries permitted for the task
startedstring | null <date-time>When the task started running, or null if it has not started
finishedstring | null <date-time>When the task finished, or null if it has not finished
scheduledStartTimestring | null <date-time>When the task is scheduled to start, or null
podstring | nullIdentifier of the pod running the task, or null
contextobjectTask-specific context payload
createdAtstring <date-time>When the task record was created
updatedAtstring <date-time>When the task record was last updated
202Empty results with a message indicating the scoped project's build statusmessagestringissuesobject[]400Bad RequestuuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
403ForbiddenuuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
406Not AcceptableuuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
500Server ErroruuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
Try this endpoint
Build a request and run it against app.fossa.com.
Stored in this browser for 24 hours. Try It uses a docs proxy for CORS and does not store tokens server-side.
GET https://app.fossa.com/api/v2/issuescurl --request GET \ --url 'https://app.fossa.com/api/v2/issues' \ --header 'accept: application/json' \ --header 'authorization: Bearer YOUR_API_TOKEN'Real request. Mutating methods can change data.
Query params
csvbooleanRetrieves issues as a CSV
includeDirectDependencyOriginPathsbooleanInclude origin paths for the direct dependency responsible for including the revision(s) affected by this issue
categoryenumrequiredIssue category
statusenumIssue status
scope[type]enumrequiredScope of issues to view / update
scope[id]stringProject or release group ID (required when scope[type] is "project" or "releaseGroup")
scope[revision]stringRevision ID (when scope[type] is "project")
scope[revisionScanId]integerRevision scan ID (when scope[type] is "project")
scope[release]stringRelease group ID (when scope[type] is "releaseGroup")
scope[releaseScanId]stringRelease scan ID (when scope[type] is "releaseGroup")
scope[compareTo][revision]stringThe revision ID to compare issues with. Only available for Project Scope.
scope[compareTo][changeStatus]enumThe status of issues to fetch when comparing issues. - New issues are present in the current revision but not in the comparison revision. - Remediated issues are present in the comparison revision but not in the current revision. - Unchanged issues are present in both revisions. Only available for Project Scope.
ids[]arrayFilter by specific issue IDs
filter[revisionIds][]arrayFilter by specific revision IDs
filter[search]stringFilter by package name or CVE (when category is "vulnerability")
filter[depths][]arrayFilter by issue depth
filter[ticketed][]arrayFilter by ticketed status. Only available to premium users.
filter[containerLayers][]arrayFilter by container layer
filter[type][]stringFilter by licensing issue type (when category is "licensing") or quality issue type (when category is "quality")
filter[packageManagers][]arrayFilter by specific package managers
filter[cwes][]arrayFilter by specific CWE identifiers
filter[projectLabels][]arrayFilter by specific project labels
filter[identification][]arrayFilter by license identification (when category is "licensing")
filter[severity][]arrayFilter by vuln severity (when category is "vulnerability")
filter[severitySource][]arrayFilter by severity source (when category is "vulnerability"). Use 'standard' to filter by CVSS score, 'custom' to filter by custom risk score. When both are provided, issues matching either source are returned. Defaults to 'standard' when not provided. Custom risk score filtering is not available for global scope.
filter[foundBefore]stringInclude only issues found on before a given ISO timestamp. Only available to premium users
filter[foundAfter]stringInclude only issues found on after a given ISO timestamp. Only available to premium users
filter[hasFix][]arrayFilter by vuln fixability (when category is "vulnerability")
filter[upgradeDistance][]arrayFilter by vuln upgrade distance (when category is "vulnerability")
filter[exploitMaturity][]arrayFilter by vuln exploit maturity (when category is "vulnerability")
filter[ignoreReason][]arrayFilter by vuln ignore reason (when category is "vulnerability") This value appears in the vulnerabilities.analysis.detail field in CycloneDX SBOM reports
filter[epss]objectFilter by epss 'score' or 'percentile'. All fields are required. Only available to premium users.
filter[confidence][]arrayFilter issues by their binary dependency confidence level(s)
filter[issueSource][]stringFilter by issue source. Use 'dependency' and 'snippet' to filter by whether the issue comes from a dependency or a code snippet. When the vendored dependency detection feature is enabled, use 'managed-dependency' and 'vendored-dependency' to filter dependency issues by whether the dependency is managed or vendored.
filter[cvssAttackVector][]arrayFilter by CVSS attack vector (when category is "vulnerability")
filter[cvssAttackComplexity][]arrayFilter by CVSS attack complexity (when category is "vulnerability"). For CVSS v4, this includes the Attack Requirements (AT) metric.
filter[cvssPrivilegesRequired][]arrayFilter by CVSS privileges required (when category is "vulnerability")
sortenumSort by package name, when the issue was created, or severity (when category is "vulnerability")
pageintegerThe specific page of data to return
countintegerThe number of items to return in each page of results
teamIdstringFilter issues by one or more team IDs. Accepts a single team ID, an array of team IDs, or the literal string `"null"` to scope to unassigned projects. Requires the `View` permission on each requested team; otherwise the request is rejected with a `403`. Ignored for organizations on the free tier.
emailbooleanOnly applies when `csv=true`. When provided, the CSV report is generated as a background task and emailed to the requesting user once ready; the response is then a `201` with the task metadata. When omitted, the CSV is streamed directly in the response.