# API BOM {% hint style="success" %} **At a glance:** Review a detailed list of all API endpoints exposed by your applications. Map specific detected issues to the APIs that expose them (for APIs written in supported languages). {% endhint %} {% hint style="warning" %} See the list of [languages and web frameworks](https://gitlab.com/oxsecurity/ox-docs/docs/-/blob/main/a-tour-of-ox/broken-reference/README.md) currently supported for: • API detection\ • API/issue correlation {% endhint %} ## Overview
**API BOM** provides you with a detailed inventory of the API endpoints (both internal and external) defined in your application code. It identifies APIs: * Directly referenced by your code. * Defined by OpenAPI specification files in your repositories. {% hint style="info" %} **Why does it matter?** 1. **API BOM** gives you the ability to better understand your app exposure, making it easier to: * Ensure that all your APIs have undergone appropriate security review procedures. This is especially helpful in managing the review of newly added APIs. * Manage particularly risky elements of your APIs even when they are legitimately and intentionally included in code. * Consider, for example, an API containing a method that could potentially alter your application or user data. At the very least, it's important to be aware that this method exists in your code so that you can manage potential risks. 2. **API BOM** allows you to prioritize issues exposed by APIs (which makes it more likely that there is a path for an attacker to exploit them). {% endhint %} ## Supported Languages | Language | Web framework | API detection | API/issue correlation¹ | | -------------------------- | -------------------------- | ------------- | ---------------------- | | OpenAPI specification file | – | Yes | nan | | Python | Flask | Yes | Yes | | Python | FastAPI | Yes | Yes | | Python | Django | Yes | Yes | | Python | Connexion | Yes | Yes | | JavaScript & TypeScript | Express.js | Yes | Yes | | JavaScript & TypeScript | NestJS | Yes | Yes | | JavaScript & TypeScript | Koa | Yes | Yes | | JavaScript & TypeScript | Apollo GraphQL | Yes | Yes | | Java | SpringBoot | Yes | Yes | | Go | Gin | Yes | nan | | Scala | Play | Yes | Yes | | Scala | SpringBoot | Yes | Yes | | Kotlin | SpringBoot | Yes | Yes | | Kotlin | Ktor | Yes | Yes | | C# | Microsoft ASP.NET Core MVC | Yes | Yes | ### **API/issue correlation** **API BOM** maps specific **Code security** and **Open source security** issues to the APIs that expose them when **both** of the following conditions are met: * The API is discovered in code. * The API is written in a [language/web framework](https://gitlab.com/oxsecurity/ox-docs/docs/-/blob/main/a-tour-of-ox/broken-reference/README.md) for which this feature is supported. **An issue is considered to be exposed by an API** when there is a function call path between the API handler function and the function containing the issue. ## Summary table The API BOM **summary table** provides detailed information about each API discovered. A specific API (Title) is listed **once for each endpoint/method combination** it references. In the **summary table:** * Click on the title of any column to sort the table by that column. (By default, the table is sorted by **First seen**.) * Use the filters on the left side of the page to view specific information in the table according to your preferences. * Click the Export button to export the full or filtered table as a CSV file. ### Summary table data

Title: The name of the API

  • For APIs discovered in code, the Title is the word API appended to the end of the application name (repository) in which the API is referenced.

    • For example, the Title of an API discovered in the millennium-falcon repository is millennium-falcon API.
  • For APIs discovered in OpenAPI specification files, the Title matches the title defined in the file.

Highest severity exposed issues: The number of issues exposed by the API in each of the 3 highest severity levels.

  • This column contains data only when the conditions for API/issue correlation are met.
  • Click a circled number in the column to view the Issues page pre-filtered by these issues.
Endpoint: The URL of the endpoint referenced by the code or OpenAPI file.
Method: The HTTP method for the endpoint.

Functions: The functions called by the API.

  • This column contains data only when the API was discovered in code .
  • Click on a function link to view the function at its precise location in your code repository (in a new browser tab).

First seen: The date the API was first detected by OX.

  • This is the date of first detection, not the date on which the API was added to the code.

Source:

  • = API discovered in code.

    • Click the icon to view the API reference at its precise location in your code repository (in a new browser tab).

  • = API discovered in OpenAPI specification file.

    • Click the icon to view the OpenAPI file in your code repository (in a new browser tab). Note that this link takes you to the OpenAPI file, not to the specific line within the file that references the API.

App name: The app (repository) in which the API is referenced.

## API details Select a row in the summary table to open **detailed API information** at the bottom of the page.

Click the Exposed code issues button to view the Issues page pre-filtered by the issues exposed by the API.

Tabs: Switch among tabs to navigate the types of detailed information available:

  • The Exposed issue statistics tab is displayed when the conditions for API/issue correlation are met.
  • The Parameters and Responses tabs are displayed when OX is able to detect this information for the API.