FOSSA Vulnerability Snapshot Downloads

FOSSA exports our vulnerabilities as a downloadable JSON object. This documentation will describe how to access the feature.

API Keys

You will need a vulnerability Service API token ID and Secret. You can find details on how to receive them on this page.

Requesting Vulnerability Snapshot

You will make a request to FOSSA's servers that will return a pre-signed AWS S3 URL that will allow you to download a copy of the data.

Request

Method: GET

Headers: Authorization: token <tokenId>:<tokenSecret>

Endpoint: vulns.fossa.com/api/vulns/snapshot

Response:

On success: { url: string }

  • Make a GET request to the provided URL to download the vuln snapshot JSON. The file is a gzipped tarball

On failure:

  • You will receive an error description describing the reason for the failure. If you are unable to resolve the issue on your own, please contact [email protected] and provide the error UUID

IP Space Whitelisting

For proper functionality on premise, if there is a firewall then the following IP spaces should be whitelisted (follow the links for more information on whitelisting these addresses).

Frequency of Vulnerability Snapshot Updates

The Vulnerability Snapshot is updated daily.

Vulnerability Snapshot Schema

The returned JSON will be an array of shallow JSON objects. This schema describes a single JSON object within that array.

type SingleVulnSnapshotSchema = {
  // the package type of the affeced package (e.g. mvn (maven), deb (debian), npm (npm/node), etc ...)
  fetcher: string;

  // Name of the affected package
  package: string;

  // CVE related to this vuln, or null if vuln doesn't have CVE
  cve: string;

  // CWEs related to this vuln, or null if we don't have enough information.
  cwes: string;

  // CVSS V2 Enum Vector
  cvssV2Vector: string;

  // CVSS V3 Enum Vector
  cvssV3Vector: string;

  // FOSSA computed severity vector, or null if we don't have enough information.
  cvss: string;

  affectedVersionRanges: string;

  // A long-form explanation of the vuln, or null if we don't have enough information.
  description: string;
  
  // EPSScore (Exploit Predictability and Sophistication Score) is a metric used to quantify the predictability 
  // and sophistication of exploits, with higher scores indicating more predictable and less sophisticated exploits, 
  // and lower scores indicating the opposite.
  epssSscore: string;
  
  // EPSSPercentile (Exploit Predictability and Sophistication Percentile) represents the percentile ranking of a particular 
  // exploit's EPSScore relative to other exploits, providing context on its predictability and sophistication 
  // compared to a broader set of exploits.
  epssPercentile: string;
  
  // Exploit maturity refers to the accessibility of code samples for exploiting vulnerabilities, 
  // with mature exploits having readily available code and POC exploits relying on documented methods without code samples. 
  // Refer to CISA Known Exploit catalog, as these are the current exploits FOSSA has.
  exploitability: string;

  // Important dates related to this vulnerability. (datetime as string)
  published: string;

  // Links to external references (disclosures, blog posts, teardowns, writeups, post-mortems, etc.).
  references: string;

  // When FOSSA first created the vuln entry. (datetime as string)
  createdAt: string;

  // When FOSSA last updated the vuln entry. (datetime as string)
  updatedAt: string;
};