Queue Release Group Attribution Report V2

gethttps://app.fossa.com/api/v2/project_group/{groupId}/release/{releaseId}/attribution/{format}

Generate a release group release's attribution report (V2). Behavior depends on the query parameters: - When `preview` or `download` is set, the report is generated synchronously and streamed back. - Otherwise the report is queued as a background job and the response contains the `taskId` to poll for completion (used for publishing and emailing). **Note:** Not all report options are valid for every report format. Use your release group's Reports UI to see which options apply to a given format.

Path parameters

groupIdintegerrequired

The ID of the release group

releaseIdintegerrequired

The ID of the release within the release group

formatenumrequired

The format of the report

HTMLMDPDFCSVTXTSPDXSPDX_JSONCYCLONEDX_JSONCYCLONEDX_XML

Query parameters

previewboolean

Whether to preview the report inline rather than generate a downloadable file (default is false)

downloadboolean

Whether to stream the report back directly for download (default is false)

isPublishingboolean

Whether to publish the report to the SBOM portal. Requires portal-manage permission and an enabled SBOM portal.

projectGroupTitlestring

Override for the release group title shown in the report.

projectGroupReleaseTitlestring

Override for the release title shown in the report.

projectGroupUrlstring <uri>

URL to embed in the release group report metadata.

dependencyInfoOptions[]enum[]

Per-dependency columns/fields to include in the report.

includeDeepDependenciesboolean

Whether to include deep dependencies (default is false)

includeDirectDependenciesboolean

Whether to include direct dependencies (default is false)

includeFOSSADependenciesboolean

Whether to include FOSSA-managed dependencies (default is false)

includeLicenseListboolean

Whether to include the license list (default is false)

includeLicenseScanboolean

Whether to include the first-party license scan (default is false)

includeProjectLicenseboolean

Whether to include the project's declared license (default is false)

includeCopyrightListboolean

Whether to include the copyright list (default is false)

includeFileMatchesboolean

Whether to include license file matches (default is false)

includeOpenVulnerabilitiesboolean

Whether to include open vulnerabilities (default is false)

includeClosedVulnerabilitiesboolean

Whether to include closed vulnerabilities (default is false)

includeDependencySummaryboolean

Whether to include the dependency summary (default is false)

includeLicenseHeadersboolean

Whether to include license headers (default is false)

includePackageLabelsboolean

Whether to include the package labels assigned to each dependency (default is false)

excludeFieldsobject

Object controlling which dependencies are excluded from the report. The only supported nested field is `packageLabels`: a non-empty array of package-label values; dependencies carrying any of these labels are excluded from the report. The server parses the query string with the `qs` library, so the array is sent using bracket-and-index notation rather than standard OpenAPI `deepObject` serialization. For example, to exclude two labels send (before URL-encoding): `excludeFields[packageLabels][0]=internal&excludeFields[packageLabels][1]=vendored`.

Responses

200Either the streamed report (when `preview`/`download` is set) or, for a queued job, the task identifier to poll for completion.
taskIdstringrequired

The job token of the queued report-generation task

400BadRequest
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

401Unauthorized
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

403Forbidden — missing publish permission, or the SBOM portal is not enabled.
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

404NotFound
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

500Server Error
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

Try this endpoint

Build a request and run it against app.fossa.com.

Bearer

Stored in this browser for 24 hours. Try It uses a docs proxy for CORS and does not store tokens server-side.

GET https://app.fossa.com/api/v2/project_group/1/release/1/attribution/HTML
curl --request GET \  --url 'https://app.fossa.com/api/v2/project_group/1/release/1/attribution/HTML' \  --header 'accept: application/json' \  --header 'authorization: Bearer YOUR_API_TOKEN'

Real request. Mutating methods can change data.

Click Try It to run a request and see the response here.
Enter a Bearer token before running this request.

Path params

groupIdintegerrequired

The ID of the release group

releaseIdintegerrequired

The ID of the release within the release group

formatenumrequired

The format of the report

Query params

previewboolean

Whether to preview the report inline rather than generate a downloadable file (default is false)

downloadboolean

Whether to stream the report back directly for download (default is false)

isPublishingboolean

Whether to publish the report to the SBOM portal. Requires portal-manage permission and an enabled SBOM portal.

projectGroupTitlestring

Override for the release group title shown in the report.

projectGroupReleaseTitlestring

Override for the release title shown in the report.

projectGroupUrlstring

URL to embed in the release group report metadata.

dependencyInfoOptions[]array

Per-dependency columns/fields to include in the report.

includeDeepDependenciesboolean

Whether to include deep dependencies (default is false)

includeDirectDependenciesboolean

Whether to include direct dependencies (default is false)

includeFOSSADependenciesboolean

Whether to include FOSSA-managed dependencies (default is false)

includeLicenseListboolean

Whether to include the license list (default is false)

includeLicenseScanboolean

Whether to include the first-party license scan (default is false)

includeProjectLicenseboolean

Whether to include the project's declared license (default is false)

includeCopyrightListboolean

Whether to include the copyright list (default is false)

includeFileMatchesboolean

Whether to include license file matches (default is false)

includeOpenVulnerabilitiesboolean

Whether to include open vulnerabilities (default is false)

includeClosedVulnerabilitiesboolean

Whether to include closed vulnerabilities (default is false)

includeDependencySummaryboolean

Whether to include the dependency summary (default is false)

includeLicenseHeadersboolean

Whether to include license headers (default is false)

includePackageLabelsboolean

Whether to include the package labels assigned to each dependency (default is false)

excludeFieldsobject

Object controlling which dependencies are excluded from the report. The only supported nested field is `packageLabels`: a non-empty array of package-label values; dependencies carrying any of these labels are excluded from the report. The server parses the query string with the `qs` library, so the array is sent using bracket-and-index notation rather than standard OpenAPI `deepObject` serialization. For example, to exclude two labels send (before URL-encoding): `excludeFields[packageLabels][0]=internal&excludeFields[packageLabels][1]=vendored`.