Why
fossapi list revisions <project> exists, and fossapi get revision <locator> returns revision metadata — but there is no way to list the
issues attached to a revision. Per-project issues are the second half of a
release-group reconciliation (see sibling issue on release-group issue
listing), and they're also useful standalone — e.g. "what are the current
license findings on this revision?"
Current workaround
REV='custom+<orgId>/<repo>$<sha>'
ENC=$(python3 -c "import urllib.parse,sys;print(urllib.parse.quote(sys.argv[1],safe=''))" "$REV")
curl -sH "Authorization: Bearer $FOSSA_API_KEY" \
"https://app.fossa.com/api/revisions/$ENC/issues"
Response shape: {revisionScan: {...}, issues: [{id, type, revisionId, humanReadableType, vulnId, ruleId, licenseForDefaultRule, scan_type, ignoreData, parents, ...}]}. Issue rows have scan_type == "top_level_revision", as opposed to "project_group_release" on the RG
endpoint — worth surfacing in the CLI's JSON output.
Proposed CLI surface
fossapi list revision-issues <revision_locator> [--json] \
[--category licensing|vulnerability|quality]
# or an equivalent filter on `list issues`:
fossapi list issues --revision <locator> [--category <...>]
Why
fossapi list revisions <project>exists, andfossapi get revision <locator>returns revision metadata — but there is no way to list theissues attached to a revision. Per-project issues are the second half of a
release-group reconciliation (see sibling issue on release-group issue
listing), and they're also useful standalone — e.g. "what are the current
license findings on this revision?"
Current workaround
Response shape:
{revisionScan: {...}, issues: [{id, type, revisionId, humanReadableType, vulnId, ruleId, licenseForDefaultRule, scan_type, ignoreData, parents, ...}]}. Issue rows havescan_type == "top_level_revision", as opposed to"project_group_release"on the RGendpoint — worth surfacing in the CLI's JSON output.
Proposed CLI surface