Create Revision Attribution Public Report V2

posthttps://app.fossa.com/api/v2/revisions/{locator}/attribution/public

Create a public attribution report link for a revision (V2). Queues a background job to generate the report and upload it to S3, and returns the pending `Report` record together with the queued `task`. **Requires a Premium subscription** and project view + report-link permissions. **Note:** Not all report options are valid for every report format. Use your project's Reports UI to see which options apply to a given format.

Path parameters

locatorstringrequired

The URL-encoded locator of the revision

Query parameters

formatenum

The format of the report

HTMLMDPDFCSVTXTSPDXSPDX_JSONCYCLONEDX_JSONCYCLONEDX_XML
emailsstring

A single email address used as the report recipient and, for SPDX-style reports, the author identifier. Despite the plural name, this accepts exactly one address — not a list.

includeDeepDependenciesboolean

Whether to include deep dependencies (default is false)

includeDirectDependenciesboolean

Whether to include direct dependencies (default is false)

includeLicenseListboolean

Whether to include the license list (default is false)

includeLicenseScanboolean

Whether to include the first-party license scan (default is false)

includeProjectLicenseboolean

Whether to include the project's declared license (default is false)

includeCopyrightListboolean

Whether to include the copyright list (default is false)

includeFileMatchesboolean

Whether to include license file matches (default is false)

includeOpenVulnerabilitiesboolean

Whether to include open vulnerabilities (default is false)

includeClosedVulnerabilitiesboolean

Whether to include closed vulnerabilities (default is false)

includeDependencySummaryboolean

Whether to include the dependency summary (default is false)

includeLicenseHeadersboolean

Whether to include license headers (default is false)

includePackageLabelsboolean

Whether to include the package labels assigned to each dependency (default is false)

excludeFieldsobject

Object controlling which dependencies are excluded from the report. The only supported nested field is `packageLabels`: a non-empty array of package-label values; dependencies carrying any of these labels are excluded from the report. The server parses the query string with the `qs` library, so the array is sent using bracket-and-index notation rather than standard OpenAPI `deepObject` serialization. For example, to exclude two labels send (before URL-encoding): `excludeFields[packageLabels][0]=internal&excludeFields[packageLabels][1]=vendored`.

Responses

202The created public report record and the queued generation task
reportobject

The created public report record

idinteger

The report ID

uuidstring

The public UUID used in the report's URL

urlstring

The eventual S3 URL of the generated report

publicboolean

Whether the report is publicly accessible

organizationIdinteger
projectIdstring
revisionIdstring
taskobject

Metadata describing a background task that has been queued for processing.

idinteger

Unique identifier for the task

taskstring

Name of the task being run

jobTokenstring

Token used to poll for the task's status and result

statusenum

Current status of the task

CREATEDASSIGNEDRUNNINGSUCCEEDEDFAILED
attempt_numberinteger

Number of times the task has been attempted

maxRetriesinteger | null

Maximum number of retries permitted for the task

startedstring | null <date-time>

When the task started running, or null if it has not started

finishedstring | null <date-time>

When the task finished, or null if it has not finished

scheduledStartTimestring | null <date-time>

When the task is scheduled to start, or null

podstring | null

Identifier of the pod running the task, or null

contextobject

Task-specific context payload

createdAtstring <date-time>

When the task record was created

updatedAtstring <date-time>

When the task record was last updated

400BadRequest
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

401Unauthorized
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

403Forbidden — requires a premium subscription.
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

404NotFound
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

500Server Error
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

Try this endpoint

Build a request and run it against app.fossa.com.

Bearer

Stored in this browser for 24 hours. Try It uses a docs proxy for CORS and does not store tokens server-side.

POST https://app.fossa.com/api/v2/revisions/%7Blocator%7D/attribution/public
curl --request POST \  --url 'https://app.fossa.com/api/v2/revisions/%7Blocator%7D/attribution/public' \  --header 'accept: application/json' \  --header 'authorization: Bearer YOUR_API_TOKEN'

Real request. Mutating methods can change data.

Click Try It to run a request and see the response here.
Enter a Bearer token before running this request.

Path params

locatorstringrequired

The URL-encoded locator of the revision

Query params

formatenum

The format of the report

emailsstring

A single email address used as the report recipient and, for SPDX-style reports, the author identifier. Despite the plural name, this accepts exactly one address — not a list.

includeDeepDependenciesboolean

Whether to include deep dependencies (default is false)

includeDirectDependenciesboolean

Whether to include direct dependencies (default is false)

includeLicenseListboolean

Whether to include the license list (default is false)

includeLicenseScanboolean

Whether to include the first-party license scan (default is false)

includeProjectLicenseboolean

Whether to include the project's declared license (default is false)

includeCopyrightListboolean

Whether to include the copyright list (default is false)

includeFileMatchesboolean

Whether to include license file matches (default is false)

includeOpenVulnerabilitiesboolean

Whether to include open vulnerabilities (default is false)

includeClosedVulnerabilitiesboolean

Whether to include closed vulnerabilities (default is false)

includeDependencySummaryboolean

Whether to include the dependency summary (default is false)

includeLicenseHeadersboolean

Whether to include license headers (default is false)

includePackageLabelsboolean

Whether to include the package labels assigned to each dependency (default is false)

excludeFieldsobject

Object controlling which dependencies are excluded from the report. The only supported nested field is `packageLabels`: a non-empty array of package-label values; dependencies carrying any of these labels are excluded from the report. The server parses the query string with the `qs` library, so the array is sent using bracket-and-index notation rather than standard OpenAPI `deepObject` serialization. For example, to exclude two labels send (before URL-encoding): `excludeFields[packageLabels][0]=internal&excludeFields[packageLabels][1]=vendored`.