Get Issues

gethttps://app.fossa.com/api/v2/issues

Retrieve multiple issues

Query parameters

csvboolean

Retrieves issues as a CSV

includeDirectDependencyOriginPathsboolean

Include origin paths for the direct dependency responsible for including the revision(s) affected by this issue

categoryenumrequired

Issue category

licensingvulnerabilityquality
statusenum

Issue status

activeignored
scope[type]enumrequired

Scope of issues to view / update

globalprojectreleaseGroup
scope[id]string

Project or release group ID (required when scope[type] is "project" or "releaseGroup")

scope[revision]string

Revision ID (when scope[type] is "project")

scope[revisionScanId]integer <int32>

Revision scan ID (when scope[type] is "project")

scope[release]string

Release group ID (when scope[type] is "releaseGroup")

scope[releaseScanId]string

Release scan ID (when scope[type] is "releaseGroup")

scope[compareTo][revision]string

The revision ID to compare issues with. Only available for Project Scope.

scope[compareTo][changeStatus]enum

The status of issues to fetch when comparing issues. - New issues are present in the current revision but not in the comparison revision. - Remediated issues are present in the comparison revision but not in the current revision. - Unchanged issues are present in both revisions. Only available for Project Scope.

newremediatedunchanged
ids[]integer[]

Filter by specific issue IDs

filter[revisionIds][]string[]

Filter by specific revision IDs

filter[search]string

Filter by package name or CVE (when category is "vulnerability")

filter[depths][]enum[]

Filter by issue depth

filter[ticketed][]enum[]

Filter by ticketed status. Only available to premium users.

filter[containerLayers][]enum[]

Filter by container layer

filter[type][]enum[]

Filter by licensing issue type (when category is "licensing") or quality issue type (when category is "quality")

filter[packageManagers][]string[]

Filter by specific package managers

filter[cwes][]string[]

Filter by specific CWE identifiers

filter[projectLabels][]string[]

Filter by specific project labels

filter[identification][]enum[]

Filter by license identification (when category is "licensing")

filter[severity][]enum[]

Filter by vuln severity (when category is "vulnerability")

filter[severitySource][]enum[]

Filter by severity source (when category is "vulnerability"). Use 'standard' to filter by CVSS score, 'custom' to filter by custom risk score. When both are provided, issues matching either source are returned. Defaults to 'standard' when not provided. Custom risk score filtering is not available for global scope.

filter[foundBefore]string <date-time>

Include only issues found on before a given ISO timestamp. Only available to premium users

filter[foundAfter]string <date-time>

Include only issues found on after a given ISO timestamp. Only available to premium users

filter[hasFix][]enum[]

Filter by vuln fixability (when category is "vulnerability")

filter[upgradeDistance][]enum[]

Filter by vuln upgrade distance (when category is "vulnerability")

filter[exploitMaturity][]enum[]

Filter by vuln exploit maturity (when category is "vulnerability")

filter[ignoreReason][]enum[]

Filter by vuln ignore reason (when category is "vulnerability") This value appears in the vulnerabilities.analysis.detail field in CycloneDX SBOM reports

filter[epss]object

Filter by epss 'score' or 'percentile'. All fields are required. Only available to premium users.

filter[confidence][]enum[]

Filter issues by their binary dependency confidence level(s)

filter[issueSource][]enum[]

Filter by issue source. Use 'dependency' and 'snippet' to filter by whether the issue comes from a dependency or a code snippet. When the vendored dependency detection feature is enabled, use 'managed-dependency' and 'vendored-dependency' to filter dependency issues by whether the dependency is managed or vendored.

filter[cvssAttackVector][]enum[]

Filter by CVSS attack vector (when category is "vulnerability")

filter[cvssAttackComplexity][]enum[]

Filter by CVSS attack complexity (when category is "vulnerability"). For CVSS v4, this includes the Attack Requirements (AT) metric.

filter[cvssPrivilegesRequired][]enum[]

Filter by CVSS privileges required (when category is "vulnerability")

sortenum

Sort by package name, when the issue was created, or severity (when category is "vulnerability")

package_ascpackage_desccreated_at_asccreated_at_descseverity_ascseverity_descepss_ascepss_desc
pageinteger

The specific page of data to return

countinteger

The number of items to return in each page of results

teamIdstring | string[] | enum

Filter issues by one or more team IDs. Accepts a single team ID, an array of team IDs, or the literal string `"null"` to scope to unassigned projects. Requires the `View` permission on each requested team; otherwise the request is rejected with a `403`. Ignored for organizations on the free tier.

emailboolean

Only applies when `csv=true`. When provided, the CSV report is generated as a background task and emailed to the requesting user once ready; the response is then a `201` with the task metadata. When omitted, the CSV is streamed directly in the response.

Responses

200Vulnerability, licensing, or quality issues response. When `csv=true` (without `email`), the CSV report is streamed as an attachment with content type `text/csv`.
issuesobject[]
201Returned when `csv=true` and `email=true`. The CSV report is generated as a background task and emailed to the requesting user once ready; the response body is the queued task's metadata.
idinteger

Unique identifier for the task

taskstring

Name of the task being run

jobTokenstring

Token used to poll for the task's status and result

statusenum

Current status of the task

CREATEDASSIGNEDRUNNINGSUCCEEDEDFAILED
attempt_numberinteger

Number of times the task has been attempted

maxRetriesinteger | null

Maximum number of retries permitted for the task

startedstring | null <date-time>

When the task started running, or null if it has not started

finishedstring | null <date-time>

When the task finished, or null if it has not finished

scheduledStartTimestring | null <date-time>

When the task is scheduled to start, or null

podstring | null

Identifier of the pod running the task, or null

contextobject

Task-specific context payload

createdAtstring <date-time>

When the task record was created

updatedAtstring <date-time>

When the task record was last updated

202Empty results with a message indicating the scoped project's build status
messagestring
issuesobject[]
400Bad Request
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

403Forbidden
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

406Not Acceptable
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

500Server Error
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

Try this endpoint

Build a request and run it against app.fossa.com.

Bearer

Stored in this browser for 24 hours. Try It uses a docs proxy for CORS and does not store tokens server-side.

GET https://app.fossa.com/api/v2/issues
curl --request GET \  --url 'https://app.fossa.com/api/v2/issues' \  --header 'accept: application/json' \  --header 'authorization: Bearer YOUR_API_TOKEN'

Real request. Mutating methods can change data.

Click Try It to run a request and see the response here.
Enter a Bearer token before running this request.

Query params

csvboolean

Retrieves issues as a CSV

includeDirectDependencyOriginPathsboolean

Include origin paths for the direct dependency responsible for including the revision(s) affected by this issue

categoryenumrequired

Issue category

statusenum

Issue status

scope[type]enumrequired

Scope of issues to view / update

scope[id]string

Project or release group ID (required when scope[type] is "project" or "releaseGroup")

scope[revision]string

Revision ID (when scope[type] is "project")

scope[revisionScanId]integer

Revision scan ID (when scope[type] is "project")

scope[release]string

Release group ID (when scope[type] is "releaseGroup")

scope[releaseScanId]string

Release scan ID (when scope[type] is "releaseGroup")

scope[compareTo][revision]string

The revision ID to compare issues with. Only available for Project Scope.

scope[compareTo][changeStatus]enum

The status of issues to fetch when comparing issues. - New issues are present in the current revision but not in the comparison revision. - Remediated issues are present in the comparison revision but not in the current revision. - Unchanged issues are present in both revisions. Only available for Project Scope.

ids[]array

Filter by specific issue IDs

filter[revisionIds][]array

Filter by specific revision IDs

filter[search]string

Filter by package name or CVE (when category is "vulnerability")

filter[depths][]array

Filter by issue depth

filter[ticketed][]array

Filter by ticketed status. Only available to premium users.

filter[containerLayers][]array

Filter by container layer

filter[type][]string

Filter by licensing issue type (when category is "licensing") or quality issue type (when category is "quality")

filter[packageManagers][]array

Filter by specific package managers

filter[cwes][]array

Filter by specific CWE identifiers

filter[projectLabels][]array

Filter by specific project labels

filter[identification][]array

Filter by license identification (when category is "licensing")

filter[severity][]array

Filter by vuln severity (when category is "vulnerability")

filter[severitySource][]array

Filter by severity source (when category is "vulnerability"). Use 'standard' to filter by CVSS score, 'custom' to filter by custom risk score. When both are provided, issues matching either source are returned. Defaults to 'standard' when not provided. Custom risk score filtering is not available for global scope.

filter[foundBefore]string

Include only issues found on before a given ISO timestamp. Only available to premium users

filter[foundAfter]string

Include only issues found on after a given ISO timestamp. Only available to premium users

filter[hasFix][]array

Filter by vuln fixability (when category is "vulnerability")

filter[upgradeDistance][]array

Filter by vuln upgrade distance (when category is "vulnerability")

filter[exploitMaturity][]array

Filter by vuln exploit maturity (when category is "vulnerability")

filter[ignoreReason][]array

Filter by vuln ignore reason (when category is "vulnerability") This value appears in the vulnerabilities.analysis.detail field in CycloneDX SBOM reports

filter[epss]object

Filter by epss 'score' or 'percentile'. All fields are required. Only available to premium users.

filter[confidence][]array

Filter issues by their binary dependency confidence level(s)

filter[issueSource][]string

Filter by issue source. Use 'dependency' and 'snippet' to filter by whether the issue comes from a dependency or a code snippet. When the vendored dependency detection feature is enabled, use 'managed-dependency' and 'vendored-dependency' to filter dependency issues by whether the dependency is managed or vendored.

filter[cvssAttackVector][]array

Filter by CVSS attack vector (when category is "vulnerability")

filter[cvssAttackComplexity][]array

Filter by CVSS attack complexity (when category is "vulnerability"). For CVSS v4, this includes the Attack Requirements (AT) metric.

filter[cvssPrivilegesRequired][]array

Filter by CVSS privileges required (when category is "vulnerability")

sortenum

Sort by package name, when the issue was created, or severity (when category is "vulnerability")

pageinteger

The specific page of data to return

countinteger

The number of items to return in each page of results

teamIdstring

Filter issues by one or more team IDs. Accepts a single team ID, an array of team IDs, or the literal string `"null"` to scope to unassigned projects. Requires the `View` permission on each requested team; otherwise the request is rejected with a `403`. Ignored for organizations on the free tier.

emailboolean

Only applies when `csv=true`. When provided, the CSV report is generated as a background task and emailed to the requesting user once ready; the response is then a `201` with the task metadata. When omitted, the CSV is streamed directly in the response.