> ## Documentation Index > Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt > Use this file to discover all available pages before exploring further. # Get vulnerability information for multiple software components in a single request. > Analyzes multiple components and returns known vulnerabilities for each including CVE details, severity scores, publication dates, and other security metadata. Vulnerability data is sourced from various security databases and feeds. See: https://github.com/scanoss/papi/blob/main/protobuf/scanoss/api/vulnerabilities/v2/README.md?tab=readme-ov-file#getcomponentsvulnerabilities ## OpenAPI ````yaml /api-reference/vulnerabilities-openapi.json post /v2/vulnerabilities/components openapi: 3.0.0 info: title: SCANOSS Vulnerability Service description: >- Vulnerability service provides vulnerability intelligence for software components. version: '2.0' contact: name: scanoss-vulnerabilities url: https://github.com/scanoss/vulnerabilities email: support@scanoss.com servers: - url: http://api.scanoss.com - url: https://api.scanoss.com security: [] tags: - name: Vulnerabilities paths: /v2/vulnerabilities/components: post: tags: - Vulnerabilities summary: >- Get vulnerability information for multiple software components in a single request. description: >- Analyzes multiple components and returns known vulnerabilities for each including CVE details, severity scores, publication dates, and other security metadata. Vulnerability data is sourced from various security databases and feeds. See: https://github.com/scanoss/papi/blob/main/protobuf/scanoss/api/vulnerabilities/v2/README.md?tab=readme-ov-file#getcomponentsvulnerabilities operationId: Vulnerabilities_GetComponentsVulnerabilities requestBody: $ref: '#/components/requestBodies/v2ComponentsRequest' responses: '200': description: A successful response. content: application/json: schema: $ref: '#/components/schemas/v2ComponentsVulnerabilityResponse' '404': description: Returned when the resource does not exist. content: application/json: schema: type: string format: string default: description: An unexpected error response. content: application/json: schema: $ref: '#/components/schemas/rpcStatus' components: requestBodies: v2ComponentsRequest: content: application/json: schema: $ref: '#/components/schemas/v2ComponentsRequest' description: >- Represents a list of software component to be analyzed by SCANOSS API services. Allows analysis of multiple software components in a single API call, improving performance over individual requests. required: true schemas: v2ComponentsVulnerabilityResponse: type: object example: components: - purl: pkg:github/scanoss/engine requirement: 1.0.0 version: 1.0.0 vulnerabilities: - id: CVE-1999-0214 cve: CVE-1999-0214 url: https://nvd.nist.gov/vuln/detail/CVE-1999-0214 summary: Denial of service by sending forged ICMP unreachable packets severity: High published: '1992-07-21' modified: '2025-04-02' source: NVD cvss: - cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H cvss_score: 7.5 cvss_severity: High epss: probability: 0.00483 percentile: 0.64405 - purl: pkg:github/scanoss/scanoss.py requirement: v1.30.0 version: v1.30.0 vulnerabilities: - id: CVE-2024-54321 cve: CVE-2024-54321 url: https://nvd.nist.gov/vuln/detail/CVE-2024-54321 summary: Denial of service vulnerability severity: Medium published: '2024-01-15' modified: '2024-02-01' source: NDV cvss: - cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L cvss_score: 4.3 cvss_severity: Medium epss: probability: 0.0012 percentile: 0.3162 status: status: SUCCESS message: Vulnerabilities Successfully retrieved properties: components: type: array items: $ref: '#/components/schemas/v2ComponentVulnerabilityInfo' title: Vulnerability information for each component in the batch status: $ref: '#/components/schemas/v2StatusResponse' description: >- Success example. For error cases, each component block reports the processing status via info_message and info_code. Example: {"components":[{"purl":"pkg:github/scanoss/engine","requirement":"1.0.0","version":"1.0.0","vulnerabilities":[{"id":"CVE-1999-0214","cve":"CVE-1999-0214"}]},{"purl":"pkg:github/unknown/component","requirement":"","version":"","vulnerabilities":[],"info_message":"Component not found in database","info_code":"COMPONENT_NOT_FOUND"}],"status":{"status":"SUCCESS","message":"Request processed"}} rpcStatus: type: object properties: code: type: integer format: int32 message: type: string details: type: array items: $ref: '#/components/schemas/protobufAny' v2ComponentsRequest: type: object example: components: - purl: pkg:github/scanoss/engine@1.0.0 - purl: pkg:github/scanoss/scanoss.py@v1.30.0 properties: components: type: array items: $ref: '#/components/schemas/v2ComponentRequest' title: Array of component requests to analyze description: >- Represents a list of software component to be analyzed by SCANOSS API services. Allows analysis of multiple software components in a single API call, improving performance over individual requests. required: - components v2ComponentVulnerabilityInfo: type: object properties: purl: type: string description: >- Package URL (PURL) uniquely identifying the component. See Common API Types documentation for format and resolution logic. version: type: string title: Specific version of the component that was analyzed requirement: type: string title: >- Echoes the client's version constraint from the request. See Common API Types documentation for resolution logic vulnerabilities: type: array items: $ref: '#/components/schemas/v2Vulnerability' title: List of known vulnerabilities affecting this component info_message: type: string description: Status message describing the outcome of processing this component. info_code: type: string description: |- Status code identifying the outcome of processing this component. Possible values: - "INVALID_PURL": The provided Package URL (PURL) is invalid or malformed. - "COMPONENT_NOT_FOUND": The requested component could not be found in the database. - "NO_INFO": No vulnerability information is available for the requested component. - "INVALID_SEMVER": The provided semantic version (SemVer) is invalid or malformed. - "VERSION_NOT_FOUND": The specific component version could not be found. description: >- Vulnerability information for a specific component identified by PURL and version. Contains comprehensive vulnerability details including CVE information, severity scores, and security metadata for software components. v2StatusResponse: type: object properties: status: $ref: '#/components/schemas/v2StatusCode' message: type: string title: Status message db: $ref: '#/components/schemas/StatusResponseDB' server: $ref: '#/components/schemas/StatusResponseServer' description: Detailed response details. protobufAny: type: object properties: '@type': type: string additionalProperties: {} v2ComponentRequest: type: object example: purl: pkg:github/scanoss/engine@1.0.0 properties: purl: type: string description: Package URL identifying the component to analyze. requirement: type: string description: >- Version constraint for component resolution when PURL lacks explicit version. description: >- Represents a software component to be analyzed by SCANOSS API services. Combines a Package URL for component identification with optional version constraints for resolution. required: - purl v2Vulnerability: type: object properties: id: type: string title: Internal vulnerability identifier cve: type: string title: Common Vulnerabilities and Exposures (CVE) identifier url: type: string title: Reference URL to vulnerability details or advisory summary: type: string title: Brief description or summary of the vulnerability severity: type: string title: General severity level (e.g., "High", "Critical", "Medium", "Low") published: type: string title: ISO 8601 timestamp when the vulnerability was first published modified: type: string title: ISO 8601 timestamp when the vulnerability was last modified source: type: string title: >- Source database or feed that provided this vulnerability information. NDV or OSV cvss: type: array items: $ref: '#/components/schemas/v2CVSS' title: CVSS (Common Vulnerability Scoring System) epss: $ref: '#/components/schemas/v2EPSS' description: >- Individual vulnerability information with security metadata. Contains comprehensive vulnerability details including identifiers, severity scores, publication dates, and descriptive information from various security databases. v2StatusCode: type: string enum: - UNSPECIFIED - SUCCESS - SUCCEEDED_WITH_WARNINGS - WARNING - FAILED default: UNSPECIFIED description: Status code Enum. StatusResponseDB: type: object properties: schema_version: type: string title: Semantic schema version (e.g., 'v1.0.0') created_at: type: string title: When this DB was built (ISO 8601 format) description: Database version information. StatusResponseServer: type: object properties: version: type: string title: Semantic version (e.g., 'v1.0.0') description: Server information. v2CVSS: type: object properties: cvss: type: string title: >- CVSS vector string containing base metrics (e.g., "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") cvss_score: type: number format: float title: >- CVSS numerical score ranging from 0.0 to 10.0, calculated from the base metrics cvss_severity: type: string title: >- CVSS qualitative severity rating derived from the numerical score: "None" (0.0), "Low" (0.1-3.9), "Medium" (4.0-6.9), "High" (7.0-8.9), "Critical" (9.0-10.0) description: >- Common Vulnerability Scoring System (CVSS) information. CVSS provides a standardized method for rating IT vulnerabilities and determining response priorities. Contains the complete CVSS metrics including vector strings, numerical scores, and qualitative severity ratings. v2EPSS: type: object properties: percentile: type: number format: float title: >- Percentile ranking (0.0 to 1.0) indicating the proportion of vulnerabilities with lower or equal EPSS scores probability: type: number format: float title: >- Probability (0.0 to 1.0) estimating the likelihood of exploitation in the next 30 days description: >- Exploit Prediction Scoring System (EPSS) information. EPSS is a data-driven model for estimating the probability that a software vulnerability will be exploited in the wild. It provides both a probability probability and a percentile ranking relative to all other vulnerabilities. ````