Skip to main content

ComponentsIssues

Runs Semgrep-based static analysis on software components to detect security vulnerabilities, insecure patterns, and code quality issues.

HTTP Request Example

curl -X POST 'https://api.scanoss.com/v2/semgrep/issues/components' \
  -H 'Content-Type: application/json' \
  -H "X-Api-Key: $SC_API_KEY" \
  -d '{
    "components": [
      {
        "purl": "pkg:maven/org.apache.commons/commons-lang3",
        "requirement": "3.12.0"
      }
    ]
  }' | jq

Response Format

Returns Semgrep findings grouped by component.
  • components: List of analysed components with detected issues
  • status: Request execution result
Each component includes:
  • purl: Component Package URL
  • version: Resolved component version
  • requirement: Version constraint used for analysis
  • files: Files containing detected issues
Each file includes:
  • fileMD5: File hash for integrity tracking
  • path: File path within the component
  • issues: Detected Semgrep findings
Each issue includes:
  • ruleID: Semgrep rule identifier
  • from: Starting line number
  • to: Ending line number
  • severity: Issue severity (ERROR, WARNING, INFO)

Response Examples

Component with Security Issues

{
  "components": [
    {
      "purl": "pkg:maven/org.apache.commons/commons-lang3",
      "version": "3.12.0",
      "requirement": "3.12.0",
      "files": [
        {
          "fileMD5": "a1b2c3d4e5f6",
          "path": "src/main/java/org/apache/commons/lang3/StringUtils.java",
          "issues": [
            {
              "ruleID": "java.lang.security.audit.crypto.weak-hash",
              "from": "156",
              "to": "159",
              "severity": "WARNING"
            },
            {
              "ruleID": "java.lang.security.audit.sql-injection.sql-injection",
              "from": "284",
              "to": "286",
              "severity": "ERROR"
            }
          ]
        },
        {
          "fileMD5": "b2c3d4e5f6a1",
          "path": "src/main/java/org/apache/commons/lang3/Validate.java",
          "issues": [
            {
              "ruleID": "java.lang.security.audit.hardcoded-secret",
              "from": "95",
              "to": "95",
              "severity": "ERROR"
            }
          ]
        }
      ]
    }
  ],
  "status": {
    "status": "SUCCESS",
    "message": "Security analysis completed successfully"
  }
}

Component with No Issues Found

{
  "components": [
    {
      "purl": "pkg:maven/org.springframework/spring-core",
      "version": "5.3.21",
      "requirement": "5.3.21",
      "files": []
    }
  ],
  "status": {
    "status": "SUCCESS",
    "message": "Security analysis completed successfully"
  }
}

ComponentIssues

Runs Semgrep analysis on a single software component to identify security, quality, and compliance issues.

HTTP Request Example

curl -X GET 'https://api.scanoss.com/v2/semgrep/issues/component?purl=pkg:maven/org.apache.commons/commons-lang3&requirement=3.12.0' \
  -H "X-Api-Key: $SC_API_KEY" | jq

Response Format

Returns Semgrep findings for a single component.
  • component: Analysed component result
  • status: Request execution result
Component fields:
  • purl: Component Package URL
  • version: Resolved version
  • requirement: Version constraint used for analysis
  • files: Files containing detected issues

Response Examples

Component with Security Issues

{
  "component": {
    "purl": "pkg:maven/org.apache.commons/commons-lang3",
    "version": "3.12.0",
    "requirement": "3.12.0",
    "files": [
      {
        "fileMD5": "a1b2c3d4e5f6",
        "path": "src/main/java/org/apache/commons/lang3/StringUtils.java",
        "issues": [
          {
            "ruleID": "java.lang.security.audit.sql-injection.sql-injection",
            "from": "284",
            "to": "286",
            "severity": "ERROR"
          }
        ]
      }
    ]
  },
  "status": {
    "status": "SUCCESS",
    "message": "Security analysis completed successfully"
  }
}

Component with No Issues Found

{
  "component": {
    "purl": "pkg:maven/org.springframework/spring-core",
    "version": "5.3.21",
    "requirement": "5.3.21",
    "files": []
  },
  "status": {
    "status": "SUCCESS",
    "message": "Security analysis completed successfully"
  }
}

Security Analysis Coverage

Semgrep rules evaluate components across three areas:

Security Vulnerabilities

  • SQL injection patterns
  • Cross-site scripting (XSS) vulnerabilities
  • Command injection flaws
  • Path traversal vulnerabilities
  • Authentication and authorization bypasses

Code Quality Issues

  • Hardcoded secrets and credentials
  • Unsafe cryptographic practices
  • Insecure random number generation
  • Improper input validation
  • Resource leaks and memory management issues

Compliance Rules

  • OWASP Top 10 security risks
  • CWE (Common Weakness Enumeration) categories
  • Language-specific security anti-patterns
  • Framework-specific security misconfigurations

Supported Languages

  • Java