Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents


  • API capability requires an additional WhiteSource license. Contact your CSM for more details.

  • For customers who have enabled vulnerability-based alerting, there are several changes to API version 1.3 -  refer here for details.

  • This page covers APIs for version 1.3. All version 1.3 APIs must include:


See /wiki/spaces/WD/pages/33816708.

  • Get Organization Policies

  • Get Product Policies

  • Get Project Policies

  • Add Organization Policy

  • Add Product Policy

  • Add Project Policies

  • Update Organization Policy

  • Update Product Policy

  • Update Project Policy

  • Remove Organization Policies

  • Remove Product Policies

  • Remove Project Policies

  • Reorder Organization Policy Priorities

  • Reorder Product Policy Priorities

  • Reorder Project Policy Priorities

  • Get Licenses



For customers who have enabled vulnerability based alerting, there are several changes to API version 1.3. Refer here for details.

Get all alerts for a given organization/product/project.



For customers who have enabled Security Alerts: View By Vulnerability, there are several changes to API version 1.3. Refer here for details.

Code Block
	"requestType" : "getAlertsByProjectTag",
    "userKey": "user_key", 
	"orgToken" : "orgToken",



For customers who have enabled Security Alerts: View By Vulnerability, there are several changes to API version 1.3. Refer here for details.

Get a list of ignored alerts per scope (organization/product/project).


Field name



The id in the vulnerability DB (CVE or WS)


Either CVE or WS


Severity of the CVSS 2 vulnerability (low, medium, high)


The CVSS 2 base score [0.0 - 10.0]


The score severity, if CVSS 3 score is between 0-3.9 - Low, if CVSS 3 score is between 4-6.9 - Medium, if CVSS 3 score is between 7-10 - High


The CVSS 3 base score [0.0 - 10.0]


See specification link


Original release date


URL of the CVE


A short description of the security vulnerability


Top recommended fix (when available)


List of all fixes (when available)


The actual resolution text to display for the given fix.



For customers who have enabled Security Alerts: View By Vulnerability, there are several changes to API version 1.3. Refer here for details.

Get all alerts of a certain type for a given organization / product / project.


Code Block
"libraryLocations" : [
		"name" : "library_name",
		"keyId" : key_id,
		"keyUuid" : "key_uuid",
		"locations": [
				"path" : "library_location_1\library_name",
				"dependencyFile" : "home/ubuntu/GiHubRepos/Samples123/pom.xml"	
				"matchType": "SHA1"
				"path": "library_location_2\\library_name",
				"dependencyFile" : "home/ubuntu/GiHubRepos/Samples234/pom.xml"	
				"matchType": "FILENAME"

Get Policies

See /wiki/spaces/WD/pages/33816708Policies API for documentation.

Groups and Users


The Auditor role can be assigned to service users to grant them read-only permissions in the scope of a specific organization. It is recommended to use this role when you want service users to fetch organizational information, but don't want to grant them full admin permissions. 

NOTE: The groupAssignment and userAssignment are single entity fields, while groupAssignments and userAssignments are arrays that support receiving multiple values.

Code Block
    "requestType" : "setOrganizationAssignments",
    "orgToken" : "organization_api_key",
    "readOnlyUsers" :
       "groupAssignments":[{"name":"group_name"},{"name":"group_name"}], // This parameter will be deprecated shortly. Only the first value in each array will be used, since the default approver role only supports a single user.
	   "userAssignments":[{"email":"user_email"},{"email":"user_email"}],  //This parameter  }

Response Format

Code Block
"message": "The following organization assignments have been set: Read Only"

Set Product Assignments

You can assign a Product-level role to specific users or to a group of users using the below API calls. The following roles are supported:

will be deprecated shortly. Only the first value in each array will be used, since the default approver role only supports a single group.

Response Format

Code Block
"message": "The following organization assignments have been set: Read Only"

Set Product Assignments

You can assign a Product-level role to specific users or to a group of users using the below API calls. The following roles are supported:

Product Administrators

Product Administrators have control over the entire product, they can rename and delete the product, and all the projects under it.


They can also view data on the product and all projects under it, and open tickets for libraries.

NOTE: The groupAssignment and userAssignment are single entity fields, while groupAssignments and userAssignments are arrays that support receiving multiple values.

Code Block
  "requestType": "setProductAssignments",
   "userKey": "user_key", 
  "productToken": "product_api_key",
  "productIntegrators" :
    "userAssignments":[{"email":"user_email"}], // This parameter will be deprecated shortly. Only the first value in each array will be used, since the default approver role only supports a single user.
    "groupAssignments":[{"name":"group_name"}], //This parameter will be deprecated shortly. Only the first value in each array will be used, since the default approver role only supports a single group.

Response Format

Code Block
"message":"Successfully set product assignments"


  1. name - the name of the vulnerability (e.g. CVE-2008-0983).

  2. severity - the CVSS severity (as taken from NVD), can be one of:

    1. HIGH

    2. MEDIUM

    3. LOW

  3. score - the CVSS score (as taken from NVD), values range from 0-10.

  4. cvss3_score - the CVSS score 3 (as taken from NVD), values range from 0-10.

  5. cvss3_severity - if cvss 3 score is between 0-3.9 - low, if cvss 3 score is between 4-6.9 - medium, if cvss 3 score is between 7-10 - high

  6. scoreMetadataVector - a text representation of a set of CVSS metrics. See also related specification.

  7. description - the vulnerability description.

  8. publishDate - the publish date.

  9. sourceFile - in case the vulnerability was matched to a source file, not the binary library, the sourceFile field will be populated (see details below).
    Note: only libraries with type SOURCE_LIBRARY have source files.

  10. vulnerabilityFix - the top fix of the vulnerability (see details below).

  11. fixResolutionText - the actual resolution text to display for the given fix.
