Create Revision Attribution Public Report V2
https://app.fossa.com/api/v2/revisions/{locator}/attribution/publicCreate a public attribution report link for a revision (V2). Queues a background job to generate the report and upload it to S3, and returns the pending `Report` record together with the queued `task`. **Requires a Premium subscription** and project view + report-link permissions. **Note:** Not all report options are valid for every report format. Use your project's Reports UI to see which options apply to a given format.
Path parameters
locatorstringrequiredThe URL-encoded locator of the revision
Query parameters
formatenumThe format of the report
HTMLMDPDFCSVTXTSPDXSPDX_JSONCYCLONEDX_JSONCYCLONEDX_XMLemailsstringA single email address used as the report recipient and, for SPDX-style reports, the author identifier. Despite the plural name, this accepts exactly one address — not a list.
includeDeepDependenciesbooleanWhether to include deep dependencies (default is false)
includeDirectDependenciesbooleanWhether to include direct dependencies (default is false)
includeLicenseListbooleanWhether to include the license list (default is false)
includeLicenseScanbooleanWhether to include the first-party license scan (default is false)
includeProjectLicensebooleanWhether to include the project's declared license (default is false)
includeCopyrightListbooleanWhether to include the copyright list (default is false)
includeFileMatchesbooleanWhether to include license file matches (default is false)
includeOpenVulnerabilitiesbooleanWhether to include open vulnerabilities (default is false)
includeClosedVulnerabilitiesbooleanWhether to include closed vulnerabilities (default is false)
includeDependencySummarybooleanWhether to include the dependency summary (default is false)
includeLicenseHeadersbooleanWhether to include license headers (default is false)
includePackageLabelsbooleanWhether to include the package labels assigned to each dependency (default is false)
excludeFieldsobjectObject controlling which dependencies are excluded from the report. The only supported nested field is `packageLabels`: a non-empty array of package-label values; dependencies carrying any of these labels are excluded from the report. The server parses the query string with the `qs` library, so the array is sent using bracket-and-index notation rather than standard OpenAPI `deepObject` serialization. For example, to exclude two labels send (before URL-encoding): `excludeFields[packageLabels][0]=internal&excludeFields[packageLabels][1]=vendored`.
Responses
202The created public report record and the queued generation taskreportobjectThe created public report record
idintegerThe report ID
uuidstringThe public UUID used in the report's URL
urlstringThe eventual S3 URL of the generated report
publicbooleanWhether the report is publicly accessible
organizationIdintegerprojectIdstringrevisionIdstringtaskobjectMetadata describing a background task that has been queued for processing.
idintegerUnique identifier for the task
taskstringName of the task being run
jobTokenstringToken used to poll for the task's status and result
statusenumCurrent status of the task
CREATEDASSIGNEDRUNNINGSUCCEEDEDFAILEDattempt_numberintegerNumber of times the task has been attempted
maxRetriesinteger | nullMaximum number of retries permitted for the task
startedstring | null <date-time>When the task started running, or null if it has not started
finishedstring | null <date-time>When the task finished, or null if it has not finished
scheduledStartTimestring | null <date-time>When the task is scheduled to start, or null
podstring | nullIdentifier of the pod running the task, or null
contextobjectTask-specific context payload
createdAtstring <date-time>When the task record was created
updatedAtstring <date-time>When the task record was last updated
400BadRequestuuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
401UnauthorizeduuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
403Forbidden — requires a premium subscription.uuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
404NotFounduuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
500Server ErroruuidstringUnique identifier associated with the error
codeintegerfossa specific error code
messagestringmessage associated with this error
namestringname of the error
httpStatusCodeintegerhttp status code number
Try this endpoint
Build a request and run it against app.fossa.com.
Stored in this browser for 24 hours. Try It uses a docs proxy for CORS and does not store tokens server-side.
POST https://app.fossa.com/api/v2/revisions/%7Blocator%7D/attribution/publiccurl --request POST \ --url 'https://app.fossa.com/api/v2/revisions/%7Blocator%7D/attribution/public' \ --header 'accept: application/json' \ --header 'authorization: Bearer YOUR_API_TOKEN'Real request. Mutating methods can change data.
Path params
locatorstringrequiredThe URL-encoded locator of the revision
Query params
formatenumThe format of the report
emailsstringA single email address used as the report recipient and, for SPDX-style reports, the author identifier. Despite the plural name, this accepts exactly one address — not a list.
includeDeepDependenciesbooleanWhether to include deep dependencies (default is false)
includeDirectDependenciesbooleanWhether to include direct dependencies (default is false)
includeLicenseListbooleanWhether to include the license list (default is false)
includeLicenseScanbooleanWhether to include the first-party license scan (default is false)
includeProjectLicensebooleanWhether to include the project's declared license (default is false)
includeCopyrightListbooleanWhether to include the copyright list (default is false)
includeFileMatchesbooleanWhether to include license file matches (default is false)
includeOpenVulnerabilitiesbooleanWhether to include open vulnerabilities (default is false)
includeClosedVulnerabilitiesbooleanWhether to include closed vulnerabilities (default is false)
includeDependencySummarybooleanWhether to include the dependency summary (default is false)
includeLicenseHeadersbooleanWhether to include license headers (default is false)
includePackageLabelsbooleanWhether to include the package labels assigned to each dependency (default is false)
excludeFieldsobjectObject controlling which dependencies are excluded from the report. The only supported nested field is `packageLabels`: a non-empty array of package-label values; dependencies carrying any of these labels are excluded from the report. The server parses the query string with the `qs` library, so the array is sent using bracket-and-index notation rather than standard OpenAPI `deepObject` serialization. For example, to exclude two labels send (before URL-encoding): `excludeFields[packageLabels][0]=internal&excludeFields[packageLabels][1]=vendored`.