Skip to content

Change API design #2206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
TG1999 wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Change API design #2206

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
4f15151
Change API design
TG1999 Mar 11, 2026
bddad8b
Restructure V3 API
TG1999 Mar 11, 2026
1132774
Fix formatting issues
TG1999 Mar 16, 2026
e53126c
Add tests
TG1999 Mar 16, 2026
970b885
Disable Admin panel
TG1999 Mar 16, 2026
cf9e087
Inline vulnerability data
TG1999 Mar 16, 2026
f7e4507
Revert changes
TG1999 Mar 16, 2026
2da29b1
Fix tests
TG1999 Mar 16, 2026
cea3db7
Remove advisories count
TG1999 Mar 16, 2026
928d3fb
Make search more efficient
TG1999 Mar 16, 2026
277117d
Make improvers query correct and faster
TG1999 Mar 17, 2026
faf4d88
Fix formatting issues
TG1999 Mar 17, 2026
f971d9d
Optimize package risk score calculation
TG1999 Mar 17, 2026
1d2aaee
Use only latest per avid aadvisories to compute package risk score
TG1999 Mar 17, 2026
d40ffa0
Handle packages which are subject of more than 100 advisories
TG1999 Mar 17, 2026
fbe5b04
Add URLs
TG1999 Mar 17, 2026
268094f
Optimize views
TG1999 Mar 17, 2026
1687202
Fix rst file formatting
TG1999 Mar 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
246 changes: 246 additions & 0 deletions api_v3_usage.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,246 @@
Package Endpoint
================

We are migrating from **API v1** to **API v3**.

Previously, the ``/api/packages`` endpoint exposed multiple routes:

- ``bulk_search``
- ``bulk_lookup``
- ``lookup``
- ``all``

In **API v3**, all these capabilities are consolidated into a **single endpoint**:

::

POST /api/v3/packages


Pagination
----------

Responses from the package endpoint are **always paginated**, with **10 results per page**.

Each response includes:

- ``count`` — total number of results
- ``next`` — URL for the next page
- ``previous`` — URL for the previous page

If a package is associated with **more than 100 advisories**, the response will include:

- ``affected_by_vulnerabilities_url`` instead of ``affected_by_vulnerabilities``
- ``fixing_vulnerabilities_url`` instead of ``fixing_vulnerabilities``


Getting All Vulnerable Packages
-------------------------------

Instead of calling ``/api/packages/all``, call the v3 endpoint with an empty ``purls`` list.

::

POST /api/v3/packages

{
"purls": []
}

Example response:

::

{
"count": 596,
"next": "http://example.com/api/v3/packages?page=2",
"previous": null,
"results": [
"pkg:npm/626@1.1.1",
"pkg:npm/aedes@0.35.0",
"pkg:npm/airbrake@0.3.8",
"pkg:npm/angular-http-server@1.4.3",
"pkg:npm/apex-publish-static-files@2.0.0",
"pkg:npm/atob@2.0.3",
"pkg:npm/augustine@0.2.3",
"pkg:npm/backbone@0.3.3",
"pkg:npm/base64-url@1.3.3",
"pkg:npm/base64url@2.0.0"
]
}


Bulk Search (Replacement)
-------------------------

Instead of calling ``/api/packages/bulk_search``, use:

::

POST /api/v3/packages

Parameters:

- ``purls`` — list of package URLs to query
- ``details`` — boolean (default: ``false``)
- ``approximate`` — boolean (default: ``false``)

The ``approximate`` flag replaces the previous ``plain_purl`` parameter.
When set to ``true``, qualifiers and subpaths in PURLs are ignored.


Get Only Vulnerable PURLs
~~~~~~~~~~~~~~~~~~~~~~~~~

::

POST /api/v3/packages

{
"purls": ["pkg:npm/atob@2.0.3", "pkg:pypi/sample@2.0.0"],
"details": false
}

Example response:

::

{
"count": 1,
"next": null,
"previous": null,
"results": [
"pkg:npm/atob@2.0.3"
]
}


Get Detailed Vulnerability Information
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

::

POST /api/v3/packages

{
"purls": ["pkg:npm/atob@2.0.3", "pkg:pypi/sample@2.0.0"],
"details": true
}

Example response:

::

{
"count": 1,
"next": null,
"previous": null,
"results": [
{
"purl": "pkg:npm/atob@2.0.3",
"affected_by_vulnerabilities": [
{
"advisory_id": "nodejs_security_wg/npm-403",
"fixed_by_packages": [
"pkg:npm/atob@2.1.0"
],
"duplicate_advisory_ids": []
}
],
"fixing_vulnerabilities": [],
"next_non_vulnerable_version": "2.1.0",
"latest_non_vulnerable_version": "2.1.0",
"risk_score": null
}
]
}


Using Approximate Matching
~~~~~~~~~~~~~~~~~~~~~~~~~~

::

POST /api/v3/packages

{
"purls": ["pkg:npm/atob@2.0.3?foo=bar"],
"approximate": true,
"details": true
}

Example response:

::

{
"count": 1,
"next": null,
"previous": null,
"results": [
{
"purl": "pkg:npm/atob@2.0.3",
"affected_by_vulnerabilities": [
{
"advisory_id": "nodejs_security_wg/npm-403",
"fixed_by_packages": [
"pkg:npm/atob@2.1.0"
],
"duplicate_advisory_ids": []
}
],
"fixing_vulnerabilities": [],
"next_non_vulnerable_version": "2.1.0",
"latest_non_vulnerable_version": "2.1.0",
"risk_score": null
}
]
}


Advisory Endpoint
=================

Retrieve advisories for one or more PURLs:

::

POST /api/v3/advisories

{
"purls": ["pkg:npm/atob@2.0.3", "pkg:pypi/sample@2.0.0"]
}

Responses are paginated (10 results per page) and include ``next`` and ``previous`` links.


Affected-By Advisories Endpoint
===============================

Retrieve advisories that **affect (impact)** a given PURL:

::

GET /api/v3/affected-by-advisories?purl=<purl>

Example:

::

GET /api/v3/affected-by-advisories?purl=pkg:npm/atob@2.0.3


Fixing Advisories Endpoint
==========================

Retrieve advisories that are **fixed by** a given PURL:

::

GET /api/v3/fixing-advisories?purl=<purl>

Example:

::

GET /api/v3/fixing-advisories?purl=pkg:npm/atob@2.1.0
Loading
Loading