Vulnerability Snapshot Downloads
Download FOSSA's full vulnerability dataset as a gzipped JSON export via a single authenticated API request.
Overview
FOSSA publishes its full vulnerability dataset as a downloadable snapshot. A single authenticated GET request returns a pre-signed AWS S3 URL; following that URL downloads a gzipped tarball of the complete dataset in JSON format. The snapshot is updated daily.
Note
You need a Vulnerability Service API token ID and token secret to authenticate. See Vulnerability Service API Token Provisioning for how to obtain them.
Downloading the vulnerability snapshot
- 1
Request a pre-signed download URL
Make a
GETrequest to the snapshot endpoint:GET https://vulns.fossa.com/api/vulns/snapshot Authorization: token <tokenId>:<tokenSecret>On success, the response body is:
JSON{ "url": "string" }On failure, the response includes an error description and a UUID. If you cannot resolve the issue, contact support@fossa.com and include the error UUID.
- 2
Download the snapshot
Make a
GETrequest to theurlvalue returned in the previous step. The file is a gzipped tarball containing the full vulnerability dataset as an array of JSON objects.
Snapshot schema
Each object in the array conforms to this schema:
| Field | Description |
|---|---|
fetcher | Package type of the affected package (e.g. mvn, deb, npm) |
package | Name of the affected package |
cve | CVE identifier, or null if the vulnerability has no CVE |
cwes | CWEs associated with the vulnerability, or null if unavailable |
cvssV2Vector | CVSS v2 enum vector |
cvssV3Vector | CVSS v3 enum vector |
cvssV4Vector | CVSS v4 enum vector |
cvss | FOSSA-computed severity score, or null if unavailable |
affectedVersionRanges | Version ranges affected by this vulnerability |
description | Long-form explanation of the vulnerability, or null if unavailable |
epssSscore | EPSS score, likelihood of exploitation in the wild (higher = more predictable, less sophisticated exploit) |
epssPercentile | EPSS percentile rank relative to all other vulnerabilities in the dataset |
exploitability | Exploit maturity, sourced from the CISA Known Exploits catalog |
published | Date the vulnerability was published (ISO datetime string) |
references | Links to external references such as disclosures, writeups, and post-mortems |
createdAt | When FOSSA first created this vulnerability entry (ISO datetime string) |
updatedAt | When FOSSA last updated this vulnerability entry (ISO datetime string) |
IP allowlist for on-premises deployments
If your on-premises installation is behind a firewall, allowlist the following to reach the snapshot service and its file storage:
vulns.fossa.com- AWS S3,
us-west-2region