> ## Documentation Index > Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt > Use this file to discover all available pages before exploring further. # Get vulnerability information for a single software component. > Analyzes the component and returns known vulnerabilities including CVE details, severity scores, publication dates, and other security metadata. Vulnerability data is sourced from various security databases and feeds. See: https://github.com/scanoss/papi/blob/main/protobuf/scanoss/api/vulnerabilities/v2/README.md?tab=readme-ov-file#getcomponentvulnerabilities ## OpenAPI ````yaml /api-reference/vulnerabilities-openapi.json get /v2/vulnerabilities/component openapi: 3.0.0 info: title: SCANOSS Vulnerability Service description: >- Vulnerability service provides vulnerability intelligence for software components. version: '2.0' contact: name: scanoss-vulnerabilities url: https://github.com/scanoss/vulnerabilities email: support@scanoss.com servers: - url: http://api.scanoss.com - url: https://api.scanoss.com security: [] tags: - name: Vulnerabilities paths: /v2/vulnerabilities/component: get: tags: - Vulnerabilities summary: Get vulnerability information for a single software component. description: >- Analyzes the component and returns known vulnerabilities including CVE details, severity scores, publication dates, and other security metadata. Vulnerability data is sourced from various security databases and feeds. See: https://github.com/scanoss/papi/blob/main/protobuf/scanoss/api/vulnerabilities/v2/README.md?tab=readme-ov-file#getcomponentvulnerabilities operationId: Vulnerabilities_GetComponentVulnerabilities parameters: - name: purl description: Package URL identifying the component to analyze. in: query required: true schema: type: string - name: requirement description: >- Version constraint for component resolution when PURL lacks explicit version. in: query required: false schema: type: string responses: '200': description: A successful response. content: application/json: schema: $ref: '#/components/schemas/v2ComponentVulnerabilityResponse' '404': description: Returned when the resource does not exist. content: application/json: schema: type: string format: string default: description: An unexpected error response. content: application/json: schema: $ref: '#/components/schemas/rpcStatus' components: schemas: v2ComponentVulnerabilityResponse: type: object example: component: purl: pkg:github/scanoss/engine requirement: '=>1.0.0' version: 1.0.0 vulnerabilities: - id: CVE-1999-0214 cve: CVE-1999-0214 url: https://nvd.nist.gov/vuln/detail/CVE-1999-0214 summary: Denial of service by sending forged ICMP unreachable packets severity: High published: '1992-07-21' modified: '2025-04-02' source: NVD cvss: - cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H cvss_score: 7.5 cvss_severity: High epss: probability: 0.00483 percentile: 0.64405 status: status: SUCCESS message: Vulnerabilities Successfully retrieved properties: component: $ref: '#/components/schemas/v2ComponentVulnerabilityInfo' status: $ref: '#/components/schemas/v2StatusResponse' description: >- Success example. For error cases, the component block reports the processing status via info_message and info_code. Example: {"component":{"purl":"pkg:github/unknown/component","requirement":"","version":"","vulnerabilities":[],"info_message":"Component not found in database","info_code":"COMPONENT_NOT_FOUND"},"status":{"status":"SUCCESS","message":"Request processed"}} rpcStatus: type: object properties: code: type: integer format: int32 message: type: string details: type: array items: $ref: '#/components/schemas/protobufAny' v2ComponentVulnerabilityInfo: type: object properties: purl: type: string description: >- Package URL (PURL) uniquely identifying the component. See Common API Types documentation for format and resolution logic. version: type: string title: Specific version of the component that was analyzed requirement: type: string title: >- Echoes the client's version constraint from the request. See Common API Types documentation for resolution logic vulnerabilities: type: array items: $ref: '#/components/schemas/v2Vulnerability' title: List of known vulnerabilities affecting this component info_message: type: string description: Status message describing the outcome of processing this component. info_code: type: string description: |- Status code identifying the outcome of processing this component. Possible values: - "INVALID_PURL": The provided Package URL (PURL) is invalid or malformed. - "COMPONENT_NOT_FOUND": The requested component could not be found in the database. - "NO_INFO": No vulnerability information is available for the requested component. - "INVALID_SEMVER": The provided semantic version (SemVer) is invalid or malformed. - "VERSION_NOT_FOUND": The specific component version could not be found. description: >- Vulnerability information for a specific component identified by PURL and version. Contains comprehensive vulnerability details including CVE information, severity scores, and security metadata for software components. v2StatusResponse: type: object properties: status: $ref: '#/components/schemas/v2StatusCode' message: type: string title: Status message db: $ref: '#/components/schemas/StatusResponseDB' server: $ref: '#/components/schemas/StatusResponseServer' description: Detailed response details. protobufAny: type: object properties: '@type': type: string additionalProperties: {} v2Vulnerability: type: object properties: id: type: string title: Internal vulnerability identifier cve: type: string title: Common Vulnerabilities and Exposures (CVE) identifier url: type: string title: Reference URL to vulnerability details or advisory summary: type: string title: Brief description or summary of the vulnerability severity: type: string title: General severity level (e.g., "High", "Critical", "Medium", "Low") published: type: string title: ISO 8601 timestamp when the vulnerability was first published modified: type: string title: ISO 8601 timestamp when the vulnerability was last modified source: type: string title: >- Source database or feed that provided this vulnerability information. NDV or OSV cvss: type: array items: $ref: '#/components/schemas/v2CVSS' title: CVSS (Common Vulnerability Scoring System) epss: $ref: '#/components/schemas/v2EPSS' description: >- Individual vulnerability information with security metadata. Contains comprehensive vulnerability details including identifiers, severity scores, publication dates, and descriptive information from various security databases. v2StatusCode: type: string enum: - UNSPECIFIED - SUCCESS - SUCCEEDED_WITH_WARNINGS - WARNING - FAILED default: UNSPECIFIED description: Status code Enum. StatusResponseDB: type: object properties: schema_version: type: string title: Semantic schema version (e.g., 'v1.0.0') created_at: type: string title: When this DB was built (ISO 8601 format) description: Database version information. StatusResponseServer: type: object properties: version: type: string title: Semantic version (e.g., 'v1.0.0') description: Server information. v2CVSS: type: object properties: cvss: type: string title: >- CVSS vector string containing base metrics (e.g., "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") cvss_score: type: number format: float title: >- CVSS numerical score ranging from 0.0 to 10.0, calculated from the base metrics cvss_severity: type: string title: >- CVSS qualitative severity rating derived from the numerical score: "None" (0.0), "Low" (0.1-3.9), "Medium" (4.0-6.9), "High" (7.0-8.9), "Critical" (9.0-10.0) description: >- Common Vulnerability Scoring System (CVSS) information. CVSS provides a standardized method for rating IT vulnerabilities and determining response priorities. Contains the complete CVSS metrics including vector strings, numerical scores, and qualitative severity ratings. v2EPSS: type: object properties: percentile: type: number format: float title: >- Percentile ranking (0.0 to 1.0) indicating the proportion of vulnerabilities with lower or equal EPSS scores probability: type: number format: float title: >- Probability (0.0 to 1.0) estimating the likelihood of exploitation in the next 30 days description: >- Exploit Prediction Scoring System (EPSS) information. EPSS is a data-driven model for estimating the probability that a software vulnerability will be exploited in the wild. It provides both a probability probability and a percentile ranking relative to all other vulnerabilities. ````