HTTP API v1.3 and v1.4

Notes:
For customers who have enabled vulnerability-based alerting, there are several changes to API version 1.3. Refer here for details.
This page covers APIs for version 1.3. All version 1.3 APIs must include:
A valid userKey. See User Level Access Control in Integrations and APIs. The "Enforce user level access" settings are not required for API calls.
Severity vulnerabilities at the CRITICAL level are now supported with CVSS v3 in Mend’s new API v1.4 (Learn more).
To use the new Critical level, it is recommended that you upgrade to API v1.4 at: https://<environment>/api/v1.4 where <environment> corresponds to your Mend server.

Overview

The Mend HTTP API is available for Mend customers who are licensed to use it. The APIs can be accessed by the organization's administrator(s).

The API is an HTTP endpoint implementing a JSON-speaking web service and handling POST requests. Communication is secured with SSL.

This document describes the Mend HTTP API v1.3. The API URL can be obtained by copying the Mend Server URL, which can be retrieved from your Profile page on the Server URLs panel. Then, add the path /api/v1.3 to it. For example: https://saas.whitesourcesoftware.com/api/v1.3.

Regarding version numbers:

If there are three or more version parts (e.g., x.y.z or x.y.z.w), both x and y are considered a major version (x.y).
If there are two parts (x.y), then x is the major version.

NOTE: The previous Mend API version is still supported and is documented on the HTTP API v1.2 page.

Notes on API Calls

All actions are recorded in GMT time zone, and this is the time displayed in relevant reports.
Date format in all responses is yyyy-MM-dd.
API results are not sorted in any particular order.

API Execution Scope

Generally, each level of the administrator (Organization, Product) can get/set the API attributes in the API calls that refer to their scope and/or under their scope. For example, Product administrators can execute API calls related to their Projects/Products defined in Mend, but they cannot execute Organization-related API calls outside their scope.

Exceptions:

getProjectVitals – Product administrators can use the Organization level call and get product/project vitals related to their products/projects.
getRequestState – Although an Organization token is required, a Product administrator can also execute it.

API URL

The base URL for all API endpoints can be obtained from the Integrate tab. (Calls to HTTP cannot be redirected to HTTPS.)

Only POST requests are accepted.

The header must include:
content-type=application/json

API Format

All requests require a token available via the API Integration page in your Mend account, based on the request's context (organization/product/project).

WARNING
The requestType parameter is mandatory for all requests.

Parameter	Description
`requestType`	For details, see Supported API Requests.
`orgToken`	Your organization API key.
`productToken`	A unique identifier for your product.
`projectToken`	A unique identifier for your project.

Character Sets

Mend HTTP API v1.x supports the Accept-Charset header.

If the value of the header is a supported character set (see supported values below), the response will be in that character set.
If the value is unsupported or if the header isn't sent, the default response character set will be UTF-8.

Supported Character Sets:

utf-8
utf-16
iso-8859-1
iso-8859-2
iso-8859-4
iso-8859-5
iso-8859-7
iso-8859-9
us-ascii

Special Characters:
The following characters are NOT supported as API input: <, >, %, &.