Mend API Version Comparison: 1.4 vs 2.0 vs 3.0
Mend API Version Comparison: 1.4 vs 2.0 vs 3.0
Overview
Mend offers three API versions: API 1.4, API 2.0, and API 3.0. Each version reflects a different stage in the platform's evolution, with changes to architecture, authentication, entity models, and available functionality.
API 1.4 uses a single-endpoint, POST-based request model and provides the broadest reporting capabilities, including both synchronous and asynchronous report generation. API 2.0 introduced a RESTful architecture with JWT-based authentication, pagination, filtering, and sorting, but removed reporting entirely. API 3.0 continues the RESTful approach, replaces the "Product" entity with "Application," transitions from an alerts model to a findings model, and introduces support for SAST, container, and AI security scanning along with an async reporting system.
In most cases, API 3.0 is the recommended version for new integrations. However, certain capabilities remain exclusive to earlier versions -- notably synchronous reporting and several report types in API 1.4, and policy management, filtering, and library detail endpoints in API 2.0. This document provides a detailed breakdown of what is available in each version to help guide integration and migration decisions.
Quick Comparison
Aspect | API 1.4 | API 2.0 | API 3.0 |
|---|---|---|---|
Architecture | Single POST endpoint with | RESTful (distinct endpoints + HTTP methods) | RESTful (distinct endpoints + HTTP methods) |
Authentication | UserKey in request body | JWT Bearer token (login endpoint, 10-min TTL) | JWT Bearer token (login endpoint, 10-min TTL) |
Entity hierarchy | Organization > Product > Project | Organization > Product > Project | Organization > Application > Project |
Identifiers |
|
|
|
Alerting model | Alerts (legal & security) | Alerts (legal & security) | Findings (legal & security) |
Pagination | Not supported | Page-based (page size + page number) | Cursor-based (cursor + limit) |
Filtering & sorting | Not supported | Supported | Not supported |
Reporting | Synchronous + asynchronous (55+ report types) | Not available | Async report system (35+ report types) |
Code scanning (SAST) | Not available | Not available | Supported |
Container scanning | Not available | Not available | Full support (security, secrets, packages) |
AI security | Not available | Not available | Supported (findings, models, red teaming) |
Capabilities Available in All Three Versions
Authentication and session management
Group management (create, update, delete, user assignment)
User management (list, remove, invite)
Organization, product/application, and project entity operations
Alert/finding retrieval for security issues
In-house library identification
Due diligence data access
Service user management
Exclusive to API 1.4
These capabilities exist only in API 1.4 and were not carried forward to 2.0 or 3.0.
Capability | Description |
|---|---|
Synchronous reports (55 types) | Immediate report generation covering inventory, source files, due diligence, attribution, comparison, SPDX/SBOM, custom attributes, license compatibility, effective licenses, in-house, risk, vulnerability, container vulnerability, alerts (active/ignored/resolved), change log, login history, request history, plugin history, members, and security alerts by vulnerability -- at org, product, and project levels |
Asynchronous reports | Background report generation with status polling and ZIP download |
Product & project tags | Full CRUD for key-value tags on products and projects, including cross-entity tag retrieval |
Alerts by project tag | Filter alerts using project tag key-value pairs |
Ignored & resolved alert reports | Dedicated retrieval and export of ignored and resolved alerts at all levels |
Issue tracker integration | Fetch policy-matched libraries for issue creation, update external issue status, get activation tokens, get policy match configurations |
License text & copyright downloads | ZIP exports of license text, copyright files, and notice files at product and project levels |
Comparison reports | Side-by-side library/license comparison between two products or two projects |
Risk reports | Risk assessment scoring across security, quality, and compliance dimensions |
Audit & history reports | Change log history, login history, request history (org/product/project), plugin request history |
Members reports | Member information reports at org, product, and project levels |
License compatibility reports | License compatibility analysis at product and project levels |
Effective licenses reports | Effective license assignments at org and product levels |
Project hierarchy & inventory | Library dependency hierarchy and full Bill of Materials for projects |
Library source files & dependencies | Source file listings and dependency trees for libraries within projects |
Pending task management | Get and close pending domain tasks |
Project setup notifications | Configure email notifications for project setup events |
Change origin library | Reassign source files to a different origin library |
Web Advisor invitations | Invite external users to download Mend Advise |
Exclusive to API 2.0
These capabilities exist only in API 2.0, not in 1.4 or 3.0.
Capability | Description |
|---|---|
RESTful pagination, filtering, sorting | Page-based result control with field-level filtering and sort options (1.4 lacks this; 3.0 uses cursor-based pagination instead) |
Library detail endpoints | Direct REST access to library copyrights, licenses, notices, versions, and vulnerability trends (1.4 uses reports for this; 3.0 uses reports) |
Library vulnerability trend | Track vulnerability trends over time for a specific library |
Whitelist rules | Full CRUD for whitelist rules with apply functionality |
In-house rules (settings-level) | Full CRUD for in-house detection rules with apply functionality |
Summary & aggregation endpoints | Alert totals, library counts by language/license, product/project/scan counts (1.4 uses reports; 3.0 uses statistics/totals) |
Vulnerability lookup | Get vulnerability profiles and remediation proposals by CVE ID |
License reference data | List all available licenses and get license details |
Permissions by role | Get all available permissions grouped by role |
Update request upload | Upload scan update request files |
Exclusive to API 3.0
These capabilities are new in 3.0 and have no equivalent in 1.4 or 2.0.
Capability | Description |
|---|---|
Application entity | Replaces "Product" -- list applications, SBOM import, label assignment, scan listing, violation SLA management, statistics and totals |
Labels | Create and manage labels at the organization level; assign to applications and projects |
SAST / Code findings | List, view, and update code findings at project and scan levels |
Container / Image findings | Security findings, secrets findings, and package data at project and scan levels |
AI security findings | AI implementation weaknesses, AI model inventory, AI vulnerabilities at application and project levels |
AI red teaming | Trigger AI red team test runs |
AI technologies | View AI technologies used in a project |
Scan management | List project scans, get scan details/summary/tags, download scan logs |
Violation tracking | View violations and manage SLA settings at application and project levels |
Vulnerability traces | Effective usage / reachability analysis for vulnerabilities |
SBOM import | Import SBOM files into applications and projects |
Expanded source file management | Match suggestions, search matches, and remapping at org/application/project levels |
User blocking | Block and unblock user accounts |
Logout | Explicit session logout with refresh token revocation |
Integrations | List all configured integrations |
Async reports for all engines | Report generation across all scan types (SCA, SAST, Container, AI) at org, application, and project levels -- including inventory, findings, compliance, SBOM, due diligence, attribution, resolved findings, and suppression reports |
Account-level reporting | Limited set of account-wide reports: dependency inventory, security findings, and security findings by library |
Migration Path Summary
Migrating from 1.4 to 2.0
Rewrite all API calls -- Move from single-endpoint POST with
requestTypeto RESTful endpoints with proper HTTP methods.Adopt JWT authentication -- Replace UserKey-based auth with login + Bearer token flow.
Reporting gap -- API 2.0 has no reporting. Maintain 1.4 access for reports, or wait for 3.0.
Tags are removed -- No equivalent in 2.0.
Leverage new features -- Pagination, filtering, and sorting enable more efficient data retrieval.
Migrating from 2.0 to 3.0
Products are now Applications -- All product-based workflows must migrate to the application entity.
Alerts are now Findings -- The alert model is replaced by a findings model spanning SCA, SAST, container, and AI scan types.
Tokens are now UUIDs -- All path parameters use UUID format.
Policies, whitelist, and in-house settings have no 3.0 equivalent -- Evaluate alternative workflows.
Library detail endpoints are removed -- Use the async reports system for SBOM, due diligence, and attribution data.
Summary endpoints are replaced -- Use the new statistics and totals endpoints.
Migrating from 1.4 directly to 3.0
All changes from both migration paths above apply.
Many 1.4 report types have no equivalent -- Comparison reports, risk reports, audit/history reports, members reports, and license compatibility reports are not in 3.0.
Issue tracker integration is removed -- No direct equivalent in 3.0.