FOSSA Vulnerability Snapshot Downloads

FOSSA exports our vulnerabilities as a downloadable JSON object. This documentation will describe how to access the feature.

API Keys

You will need a vulnerability Service API token ID and Secret. You can find details on how to receive them on this page.

Requesting Vulnerability Snapshot

You will make a request to FOSSA's servers that will return a pre-signed AWS S3 URL that will allow you to download a copy of the data.


Method: GET

Headers: Authorization: token <tokenId>:<tokenSecret>


On success: { url: string }

  • Make a GET request to the provided URL to download the vuln snapshot JSON. The file is a gzipped tarball

On failure:

  • You will receive an error description describing the reason for the failure. If you are unable to resolve the issue on your own, please contact [email protected] and provide the error UUID

IP Space Whitelisting

For proper functionality on premise, if there is a firewall then the following IP spaces should be whitelisted (follow the links for more information on whitelisting these addresses).

Frequency of Vulnerability Snapshot Updates

The Vulnerability Snapshot is updated daily.

Vulnerability Snapshot Schema

The returned JSON will be an array of shallow JSON objects. This schema describes a single JSON object within that array.

type SingleVulnSnapshotSchema = {
  // the package type of the affeced package (e.g. mvn (maven), deb (debian), npm (npm/node), etc ...)
  fetcher: string;

  // Name of the affected package
  package: string;

  // CVE related to this vuln, or null if vuln doesn't have CVE
  cve: string;

  // CWEs related to this vuln, or null if we don't have enough information.
  cwes: string;

  // CVSS V2 Enum Vector
  cvssV2Vector: string;

  // CVSS V3 Enum Vector
  cvssV3Vector: string;

  // FOSSA computed severity vector, or null if we don't have enough information.
  cvss: string;

  affectedVersionRanges: string;

  // A long-form explanation of the vuln, or null if we don't have enough information.
  description: string;

  // Important dates related to this vulnerability. (datetime as string)
  published: string;

  // Links to external references (disclosures, blog posts, teardowns, writeups, post-mortems, etc.).
  references: string;

  // When FOSSA first created the vuln entry. (datetime as string)
  createdAt: string;

  // When FOSSA last updated the vuln entry. (datetime as string)
  updatedAt: string;