FOSSA Vulnerability Snapshot Downloads
FOSSA exports our vulnerabilities as a downloadable JSON object. This documentation will describe how to access the feature.
API Keys
You will need a vulnerability Service API token ID and Secret. You can find details on how to receive them on this page.
Requesting Vulnerability Snapshot
You will make a request to FOSSA's servers that will return a pre-signed AWS S3 URL that will allow you to download a copy of the data.
Request
Method: GET
GET
Headers: Authorization: token <tokenId>:<tokenSecret>
Authorization: token <tokenId>:<tokenSecret>
Endpoint: vulns.fossa.com/api/vulns/snapshot
vulns.fossa.com/api/vulns/snapshot
Response:
On success: { url: string }
- Make a
GET
request to the provided URL to download the vuln snapshot JSON. The file is a gzipped tarball
On failure:
- You will receive an error description describing the reason for the failure. If you are unable to resolve the issue on your own, please contact [email protected] and provide the error UUID
IP Space Whitelisting
For proper functionality on premise, if there is a firewall then the following IP spaces should be whitelisted (follow the links for more information on whitelisting these addresses).
Frequency of Vulnerability Snapshot Updates
The Vulnerability Snapshot is updated daily.
Vulnerability Snapshot Schema
The returned JSON will be an array of shallow JSON objects. This schema describes a single JSON object within that array.
type SingleVulnSnapshotSchema = {
// the package type of the affeced package (e.g. mvn (maven), deb (debian), npm (npm/node), etc ...)
fetcher: string;
// Name of the affected package
package: string;
// CVE related to this vuln, or null if vuln doesn't have CVE
cve: string;
// CWEs related to this vuln, or null if we don't have enough information.
cwes: string;
// CVSS V2 Enum Vector
cvssV2Vector: string;
// CVSS V3 Enum Vector
cvssV3Vector: string;
// FOSSA computed severity vector, or null if we don't have enough information.
cvss: string;
affectedVersionRanges: string;
// A long-form explanation of the vuln, or null if we don't have enough information.
description: string;
// EPSScore (Exploit Predictability and Sophistication Score) is a metric used to quantify the predictability
// and sophistication of exploits, with higher scores indicating more predictable and less sophisticated exploits,
// and lower scores indicating the opposite.
epssSscore: string;
// EPSSPercentile (Exploit Predictability and Sophistication Percentile) represents the percentile ranking of a particular
// exploit's EPSScore relative to other exploits, providing context on its predictability and sophistication
// compared to a broader set of exploits.
epssPercentile: string;
// Exploit maturity refers to the accessibility of code samples for exploiting vulnerabilities,
// with mature exploits having readily available code and POC exploits relying on documented methods without code samples.
// Refer to CISA Known Exploit catalog, as these are the current exploits FOSSA has.
exploitability: string;
// Important dates related to this vulnerability. (datetime as string)
published: string;
// Links to external references (disclosures, blog posts, teardowns, writeups, post-mortems, etc.).
references: string;
// When FOSSA first created the vuln entry. (datetime as string)
createdAt: string;
// When FOSSA last updated the vuln entry. (datetime as string)
updatedAt: string;
};
Updated 11 months ago