Queue Release Group Attribution Report V2
https://app.fossa.com/api/v2/project_group/{groupId}/release/{releaseId}/attribution/{format}Generate a release group release's attribution report (V2). Behavior depends on the query parameters: - When `preview` or `download` is set, the report is generated synchronously and streamed back. - Otherwise the report is queued as a background job and the response contains the `taskId` to poll for completion (used for publishing and emailing). **Note:** Not all report options are valid for every report format. Use your release group's Reports UI to see which options apply to a given format.
Path parameters
groupIdintegerrequiredThe ID of the release group
releaseIdintegerrequiredThe ID of the release within the release group
formatenumrequiredThe format of the report
HTMLMDPDFCSVTXTSPDXSPDX_JSONCYCLONEDX_JSONCYCLONEDX_XMLQuery parameters
previewbooleanWhether to preview the report inline rather than generate a downloadable file (default is false)
downloadbooleanWhether to stream the report back directly for download (default is false)
isPublishingbooleanWhether to publish the report to the SBOM portal. Requires portal-manage permission and an enabled SBOM portal.
projectGroupTitlestringOverride for the release group title shown in the report.
projectGroupReleaseTitlestringOverride for the release title shown in the report.
projectGroupUrlstring <uri>URL to embed in the release group report metadata.
dependencyInfoOptions[]enum[]Per-dependency columns/fields to include in the report.
includeDeepDependenciesbooleanWhether to include deep dependencies (default is false)
includeDirectDependenciesbooleanWhether to include direct dependencies (default is false)
includeFOSSADependenciesbooleanWhether to include FOSSA-managed dependencies (default is false)
includeLicenseListbooleanWhether to include the license list (default is false)
includeLicenseScanbooleanWhether to include the first-party license scan (default is false)
includeProjectLicensebooleanWhether to include the project's declared license (default is false)
includeCopyrightListbooleanWhether to include the copyright list (default is false)
includeFileMatchesbooleanWhether to include license file matches (default is false)
includeOpenVulnerabilitiesbooleanWhether to include open vulnerabilities (default is false)
includeClosedVulnerabilitiesbooleanWhether to include closed vulnerabilities (default is false)
includeDependencySummarybooleanWhether to include the dependency summary (default is false)
includeLicenseHeadersbooleanWhether to include license headers (default is false)
includePackageLabelsbooleanWhether to include the package labels assigned to each dependency (default is false)
excludeFieldsobjectObject controlling which dependencies are excluded from the report. The only supported nested field is `packageLabels`: a non-empty array of package-label values; dependencies carrying any of these labels are excluded from the report. The server parses the query string with the `qs` library, so the array is sent using bracket-and-index notation rather than standard OpenAPI `deepObject` serialization. For example, to exclude two labels send (before URL-encoding): `excludeFields[packageLabels][0]=internal&excludeFields[packageLabels][1]=vendored`.
Responses
200Either the streamed report (when `preview`/`download` is set) or, for a queued job,
the task identifier to poll for completion.
taskIdstringrequiredThe job token of the queued report-generation task
400BadRequestuuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
401UnauthorizeduuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
403Forbidden — missing publish permission, or the SBOM portal is not enabled.uuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
404NotFounduuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
500Server ErroruuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
Try this endpoint
Build a request and run it against app.fossa.com.
Stored in this browser for 24 hours. Try It uses a docs proxy for CORS and does not store tokens server-side.
GET https://app.fossa.com/api/v2/project_group/1/release/1/attribution/HTMLcurl --request GET \ --url 'https://app.fossa.com/api/v2/project_group/1/release/1/attribution/HTML' \ --header 'accept: application/json' \ --header 'authorization: Bearer YOUR_API_TOKEN'Real request. Mutating methods can change data.
Path params
groupIdintegerrequiredThe ID of the release group
releaseIdintegerrequiredThe ID of the release within the release group
formatenumrequiredThe format of the report
Query params
previewbooleanWhether to preview the report inline rather than generate a downloadable file (default is false)
downloadbooleanWhether to stream the report back directly for download (default is false)
isPublishingbooleanWhether to publish the report to the SBOM portal. Requires portal-manage permission and an enabled SBOM portal.
projectGroupTitlestringOverride for the release group title shown in the report.
projectGroupReleaseTitlestringOverride for the release title shown in the report.
projectGroupUrlstringURL to embed in the release group report metadata.
dependencyInfoOptions[]arrayPer-dependency columns/fields to include in the report.
includeDeepDependenciesbooleanWhether to include deep dependencies (default is false)
includeDirectDependenciesbooleanWhether to include direct dependencies (default is false)
includeFOSSADependenciesbooleanWhether to include FOSSA-managed dependencies (default is false)
includeLicenseListbooleanWhether to include the license list (default is false)
includeLicenseScanbooleanWhether to include the first-party license scan (default is false)
includeProjectLicensebooleanWhether to include the project's declared license (default is false)
includeCopyrightListbooleanWhether to include the copyright list (default is false)
includeFileMatchesbooleanWhether to include license file matches (default is false)
includeOpenVulnerabilitiesbooleanWhether to include open vulnerabilities (default is false)
includeClosedVulnerabilitiesbooleanWhether to include closed vulnerabilities (default is false)
includeDependencySummarybooleanWhether to include the dependency summary (default is false)
includeLicenseHeadersbooleanWhether to include license headers (default is false)
includePackageLabelsbooleanWhether to include the package labels assigned to each dependency (default is false)
excludeFieldsobjectObject controlling which dependencies are excluded from the report. The only supported nested field is `packageLabels`: a non-empty array of package-label values; dependencies carrying any of these labels are excluded from the report. The server parses the query string with the `qs` library, so the array is sent using bracket-and-index notation rather than standard OpenAPI `deepObject` serialization. For example, to exclude two labels send (before URL-encoding): `excludeFields[packageLabels][0]=internal&excludeFields[packageLabels][1]=vendored`.