Skip to main content

ComponentCpes

Get CPE identifiers for a software component identified by Package URL.

HTTP Request Example

curl -X GET 'https://api.scanoss.com/v2/vulnerabilities/cpes/component?purl=pkg:github/scanoss/engine&requirement=>=5.0.0' \
  -H "X-Api-Key: $SC_API_KEY" | jq

Response Example

{
  "component": {
    "purl": "pkg:github/scanoss/engine",
    "requirement": ">=5.0.0",
    "version": "5.0.0",
    "cpes": ["cpe:2.3:a:scanoss:engine:1.0.0:*:*:*:*:*:*:*"]
  },
  "status": {
    "status": "SUCCESS",
    "message": "CPEs Successfully retrieved"
  }
}

ComponentsCpes

Get CPE identifiers for multiple software components in a single request.

HTTP Request Example

curl -X POST 'https://api.scanoss.com/v2/vulnerabilities/cpes/components' \
  -H 'Content-Type: application/json' \
  -H "X-Api-Key: $SC_API_KEY" \
  -d '{
    "components": [
      {"purl": "pkg:github/scanoss/engine", "requirement": ">=5.0.0"},
      {"purl": "pkg:github/scanoss/scanoss.py", "requirement": "~1.30.0"}
    ]
  }' | jq

ComponentVulnerabilities

Get known vulnerabilities for a software component, including CVE details, severity, and scoring data.

HTTP Request Example

curl -X GET 'https://api.scanoss.com/v2/vulnerabilities/component?purl=pkg:github/scanoss/engine&requirement=>=5.0.0' \
  -H "X-Api-Key: $SC_API_KEY" | jq

Response Format

The method returns comprehensive vulnerability information including:
  • purl: the requested component
  • vulnerabilities: List of known vulnerabilities affecting the component
  • version: Shows the specific version that was analyzed
  • requirement: Echoes the client’s version constraint from the request
Each vulnerability object contains:
  • CVE identifier and reference URL
  • Severity classification and CVSS information
  • Publication and modification dates
  • Summary description
  • Source database information
  • CVSS array with detailed scoring information (vector, score, and severity)
  • Exploit Prediction Scoring System (EPSS) data (probability, percentile)

CVSS Information

The cvss field is an array of CVSS (Common Vulnerability Scoring System) objects, allowing for multiple CVSS versions or sources. Each CVSS object contains:
  • cvss: The CVSS vector string (e.g., “CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H”)
  • cvss_score: The numerical CVSS score (0.0 to 10.0)
  • cvss_severity: The severity rating based on the score (“None”, “Low”, “Medium”, “High”, “Critical”)

Response Examples

Component with Vulnerabilities

{
  "component": {
    "purl": "pkg:github/scanoss/engine",
    "requirement": ">=5.0.0",
    "version": "5.0.0",
    "vulnerabilities": [
      {
        "id": "CVE-2024-12345",
        "cve": "CVE-2024-12345",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12345",
        "summary": "Buffer overflow vulnerability in input processing",
        "severity": "High",
        "published": "2024-01-15T10:30:00Z",
        "modified": "2024-01-16T14:20:00Z",
        "source": "NVD",
        "cvss": [
          {
            "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "cvss_score": 7.5,
            "cvss_severity": "High"
          }
        ],
        "epss": {
          "probability": 0.00053,
          "percentile": 0.16477
        }
      }
    ]
  },
  "status": {
    "status": "SUCCESS",
    "message": "Vulnerabilities Successfully retrieved"
  }
}

Component with No Known Vulnerabilities

{
  "component": {
    "purl": "pkg:github/scanoss/scanoss.py",
    "requirement": ">1.30.0",
    "version": "1.31.0",
    "vulnerabilities": []
  },
  "status": {
    "status": "SUCCESS",
    "message": "Vulnerabilities Successfully retrieved"
  }
}

ComponentsVulnerabilities

Get known vulnerabilities for multiple software components in a single request.

HTTP Request Example

curl -X POST 'https://api.scanoss.com/v2/vulnerabilities/components' \
  -H 'Content-Type: application/json' \
  -H "X-Api-Key: $SC_API_KEY" \
  -d '{
    "components": [
      {"purl": "pkg:github/scanoss/engine", "requirement": ">=5.0.0"},
      {"purl": "pkg:github/scanoss/scanoss.py", "requirement": "~1.30.0"}
    ]
  }' | jq