Downloading attribution reports

This guide shows how to see FOSSA's endpoints to download FOSSA reports to your machine.


  • Must have at least one project locator. You can get the list of projects by running this endpoint.

How to do it

In this example, we have a project called potential-spoon and we want to generate a report in plain text format.

The fields that we want in this report are the following:

Customize Report Information

  • Dependencies Summary
  • Direct Dependencies
  • Transitive Dependencies
  • Full License List

Dependency Metadata Information

Click on "Edit Dependency Info" to see the options.

  • Package
  • Authors
  • Dependency Paths

Calling the endpoints

Set the dependency metadata information

To download the report with all of the fields that you need, we first need to set the dependency metadata information via the following endpoint: PUT<project-locator> where the bom_column_settings[]=<attribute> is the body.

For example, here's how to call this endpoint:

curl --location --request PUT '<project-locator>' \
--header 'Authorization: Bearer <fossa-full-access-token>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'bom_column_settings[]=Authors' \
--data-urlencode 'bom_column_settings[]=Library' \
--data-urlencode 'bom_column_settings[]=DependencyPaths'

After running this you should see get s 200 OK along with a JSON response.

Download the actual report in plain text

The next thing to do is to run the following endpoint:

where the following query include parameters can be set to true. format will be TXT in this example and download is required to be set to true:

  • format=TXT
  • download=true
  • includeProjectLicense=
  • includeLicenseScan=
  • includeDependencySummary=
  • includeDirectDependencies=
  • includeDeepDependencies=
  • includeLicenseList=
  • includeVulnerabilities=
  • includeLicenseHeaders=

For example, here's how to call this endpoint:

curl --location --request GET '' \
--header 'Authorization: Bearer <fossa-full-access-token>'

The output should be the report in plain text, which you can pipe to a plain text file.

Other formats that you can use are the following:

  • SPDX
  • CSV
  • MD
  • HTML
  • PDF (this is not an available option, but if chosen in the UI, the report will be emailed to you).