Skip to main content

Prerequisites

Before using the SCANOSS API, ensure you have:
  • SCANOSS API key
  • curl: Command-line tool (pre-installed on Linux/macOS)
  • jq (optional): JSON processor for readable output

Authentication Setup

Configure your API key as an environment variable: 
# Set API key
export SCANOSS_API_KEY="your-api-key-here"

# Verify configuration
echo $SCANOSS_API_KEY
Persistent Configuration (Optional): 
# Add to shell profile for persistence
echo 'export SCANOSS_API_KEY="your-api-key-here"' >> ~/.bashrc
source ~/.bashrc

GetComponentAlgorithms

Retrieves cryptographic algorithms detected in a single software component.

Request Format

See Common API Types for ComponentRequest documentation.

HTTP Request Example

# Get cryptographic algorithms for a component
curl -X GET 'https://api.scanoss.com/v2/cryptography/algorithms/component?purl=pkg:github/scanoss/engine' \
  -H "X-Api-Key: $SCANOSS_API_KEY" | jq

Response Examples

Successful Response

{
  "component": {
    "purl": "pkg:github/scanoss/engine",
    "version": "5.0.0",
    "requirement": ">=5.0.0",
    "algorithms": [
      {
        "algorithm": "AES",
        "strength": "Strong"
      },
      {
        "algorithm": "RSA",
        "strength": "Strong"
      }
    ]
  },
  "status": {
    "status": "SUCCESS",
    "message": "Algorithms successfully retrieved"
  }
}

Error Response — Component Not Found

{
  "component": {
    "purl": "pkg:github/unknown/component",
    "version": "",
    "requirement": ">=1.0.0",
    "algorithms": [],
    "error_message": "Component not found in database",
    "error_code": "COMPONENT_NOT_FOUND"
  },
  "status": {
    "status": "SUCCESS",
    "message": "Request processed"
  }
}

Error Response — Invalid PURL

{
  "component": {
    "purl": "invalid-purl-format",
    "version": "",
    "requirement": ">=1.0.0",
    "algorithms": [],
    "error_message": "Invalid PURL format provided",
    "error_code": "INVALID_PURL"
  },
  "status": {
    "status": "SUCCESS",
    "message": "Request processed"
  }
}

Error Handling

Component responses include optional error fields when issues occur during processing:
  • error_message: Human-readable description of the error
  • error_code: Machine-readable error code for programmatic handling

Error Codes

CodeDescription
INVALID_PURLThe provided PURL format is invalid
COMPONENT_NOT_FOUNDThe component was not found in the database
NO_INFONo cryptographic information is available for the component
INVALID_SEMVERThe provided version requirement is invalid
Note: When a component-level error occurs, the overall response status remains "SUCCESS" because the request itself was processed successfully. Component-level errors are indicated within the individual component object.

GetComponentsAlgorithms

Retrieves cryptographic algorithms detected across multiple software components in a single request.

Request Format

See Common API Types for ComponentsRequest documentation.

HTTP Request Example

curl -X POST 'https://api.scanoss.com/v2/cryptography/algorithms/components' \
  -H 'Content-Type: application/json' \
  -H "X-Api-Key: $SCANOSS_API_KEY" \
  -d '{
    "components": [
      {"purl": "pkg:github/scanoss/engine", "requirement": ">=5.0.0"},
      {"purl": "pkg:github/scanoss/scanoss.py", "requirement": "~1.30.0"}
    ]
  }' | jq

Response Examples

Successful Response

{
  "components": [
    {
      "purl": "pkg:github/scanoss/engine",
      "requirement": ">=5.0.0",
      "version": "5.0.0",
      "algorithms": [
        {
          "algorithm": "AES",
          "strength": "Strong"
        },
        {
          "algorithm": "RSA",
          "strength": "Strong"
        }
      ]
    },
    {
      "purl": "pkg:github/scanoss/scanoss.py",
      "requirement": "~1.30.0",
      "version": "v1.30.0",
      "algorithms": [
        {
          "algorithm": "SHA-256",
          "strength": "Strong"
        }
      ]
    }
  ],
  "status": {
    "status": "SUCCESS",
    "message": "Algorithms successfully retrieved"
  }
}

Mixed Response with Error

{
  "components": [
    {
      "purl": "pkg:github/scanoss/engine",
      "requirement": ">=5.0.0",
      "version": "5.0.0",
      "algorithms": [
        {
          "algorithm": "AES",
          "strength": "Strong"
        }
      ]
    },
    {
      "purl": "pkg:github/unknown/component",
      "requirement": ">=1.0.0",
      "version": "",
      "algorithms": [],
      "error_message": "Component not found in database",
      "error_code": "COMPONENT_NOT_FOUND"
    }
  ],
  "status": {
    "status": "SUCCESS",
    "message": "Batch request processed"
  }
}

GetComponentAlgorithmsInRange

Analyses a single software component across a specified version range and returns all cryptographic algorithms detected, along with the versions in which each algorithm appears. Use this endpoint to audit cryptographic changes across a component’s release history.

Request Format

See Common API Types for ComponentRequest documentation.

HTTP Request Example

curl -X GET 'https://api.scanoss.com/v2/cryptography/algorithms/range/component?purl=pkg:github/scanoss/engine&requirement=>=1.0.0' \
  -H "X-Api-Key: $SCANOSS_API_KEY" | jq

Response Format

The response contains the following fields:
  • component object: Contains the component analysis results
    • purl: The PURL of the requested component
    • versions array: Component versions in which at least one cryptographic algorithm was detected
    • algorithms array: All cryptographic algorithms found across the specified version range
  • status: Response status indicating success or failure
Each algorithm object contains:
  • algorithm: Algorithm name (e.g. "AES", "RSA", "MD5")
  • strength: Strength classification ("Strong" or "Weak")

Response Examples

Component with Algorithms Across Versions

{
  "component": {
    "purl": "pkg:github/scanoss/engine",
    "versions": ["1.0.0", "2.0.0", "3.0.0", "5.0.0"],
    "algorithms": [
      {
        "algorithm": "AES",
        "strength": "Strong"
      },
      {
        "algorithm": "RSA",
        "strength": "Strong"
      },
      {
        "algorithm": "MD5",
        "strength": "Weak"
      }
    ]
  },
  "status": {
    "status": "SUCCESS",
    "message": "Algorithms in range successfully retrieved"
  }
}

Component Not Found

{
  "component": {
    "purl": "pkg:github/example/simple-utility",
    "versions": [],
    "algorithms": [],
    "error_message": "Component not found: 'pkg:github/example/simple-utility'",
    "error_code": "COMPONENT_NOT_FOUND"
  },
  "status": {
    "status": "SUCCESS",
    "message": "Algorithms in range successfully retrieved"
  }
}

GetComponentsAlgorithmsInRange

Analyses multiple software components across specified version ranges and returns cryptographic algorithms for each in a single request.

Request Format

See Common API Types for ComponentsRequest documentation.

HTTP Request Example

curl -X POST 'https://api.scanoss.com/v2/cryptography/algorithms/range/components' \
  -H 'Content-Type: application/json' \
  -H "X-Api-Key: $SCANOSS_API_KEY" \
  -d '{
    "components": [
      {"purl": "pkg:github/scanoss/engine", "requirement": ">=1.0.0"},
      {"purl": "pkg:github/scanoss/scanoss.py", "requirement": "~1.30.0"}
    ]
  }'

GetComponentVersionsInRange

Analyses a single software component and returns two lists: versions that contain cryptographic algorithms, and versions that do not. Use this endpoint to determine at which point in a component’s release history cryptographic functionality was introduced or removed.

Request Format

See Common API Types for ComponentRequest documentation.

HTTP Request Example

curl -X GET 'https://api.scanoss.com/v2/cryptography/algorithms/versions/range/component?purl=pkg:github/scanoss/engine&requirement=>=1.0.0' \
  -H "X-Api-Key: $SCANOSS_API_KEY" | jq

Response Example

{
  "component": {
    "purl": "pkg:github/scanoss/engine",
    "versions_with": ["2.0.0", "3.0.0", "4.0.0", "5.0.0"],
    "versions_without": ["1.0.0", "1.5.0"]
  },
  "status": {
    "status": "SUCCESS",
    "message": "Version ranges successfully retrieved"
  }
}

GetComponentHintsInRange

Retrieves cryptographic hints for a single component, identifying the cryptographic protocols, libraries, SDKs, and frameworks detected within it.

Request Format

See Common API Types for ComponentRequest documentation.

HTTP Request Example

curl -X GET 'https://api.scanoss.com/v2/cryptography/hints/component?purl=pkg:github/scanoss/engine&requirement=>=5.0.0' \
  -H "X-Api-Key: $SCANOSS_API_KEY" | jq

Response Format

The response contains the following fields:
  • component object: Contains the component analysis results
    • purl: The PURL of the requested component
    • version: The specific version analysed
    • hints array: Cryptographic hints detected in the component
  • status: Response status indicating success or failure
Each hint object contains:
  • id: Unique identifier for the hint
  • name: Name of the cryptographic entity detected
  • description: Description of the detected usage or implementation
  • category: Classification of the hint (see categories below)
  • url: Reference URL for further information
  • purl: PURL of the detected entity, where available

Hint Categories

Hints are classified into the following categories:
CategoryDescription
protocolCryptographic protocols (e.g. TLS, SSH, HTTPS)
libraryCryptographic libraries (e.g. OpenSSL, Bouncy Castle)
sdkSoftware development kits with cryptographic capabilities
frameworkFrameworks that include cryptographic functionality

Response Examples

Component with Cryptographic Hints

{
  "component": {
    "purl": "pkg:github/scanoss/engine",
    "version": "5.0.0",
    "hints": [
      {
        "id": "openssl-hint-001",
        "name": "OpenSSL",
        "description": "Cryptographic library providing SSL/TLS protocol support",
        "category": "library",
        "url": "https://www.openssl.org/",
        "purl": "pkg:generic/openssl@3.0.0"
      },
      {
        "id": "tls-protocol-001",
        "name": "TLS 1.3",
        "description": "Transport Layer Security protocol implementation",
        "category": "protocol",
        "url": "https://tools.ietf.org/html/rfc8446",
        "purl": ""
      }
    ]
  },
  "status": {
    "status": "SUCCESS",
    "message": "Cryptographic hints successfully retrieved"
  }
}

Component with No Cryptographic Hints

{
  "component": {
    "purl": "pkg:github/example/simple-utility",
    "version": "1.0.0",
    "hints": [],
    "error_message": "No info found for: pkg:github/example/simple-utility",
    "error_code": "NO_INFO"
  },
  "status": {
    "status": "SUCCESS",
    "message": "Cryptographic hints successfully retrieved"
  }
}

GetComponentsHintsInRange

Retrieves cryptographic hints for multiple components in a single request, returning the cryptographic protocols, libraries, SDKs, and frameworks detected across all specified components.

Request Format

See Common API Types for ComponentsRequest documentation.

HTTP Request Example

curl -X POST 'https://api.scanoss.com/v2/cryptography/hints/components' \
  -H 'Content-Type: application/json' \
  -H "X-Api-Key: $SCANOSS_API_KEY" \
  -d '{
    "components": [
      {"purl": "pkg:github/scanoss/engine", "requirement": ">=5.0.0"},
      {"purl": "pkg:github/scanoss/scanoss.py", "requirement": "~1.30.0"}
    ]
  }' | jq