> ## Documentation Index
> Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Vulnerability API

> Provides vulnerability data for software components, including CPE identifiers and known vulnerabilities (CVEs).

## ComponentCpes

Get CPE identifiers for a software component identified by Package URL.

### HTTP Request Example

```bash theme={null}
curl -X GET 'https://api.scanoss.com/v2/vulnerabilities/cpes/component?purl=pkg:github/scanoss/engine&requirement=>=5.0.0' \
  -H "X-Api-Key: $SC_API_KEY" | jq
```

### Response Example

```json theme={null}
{
  "component": {
    "purl": "pkg:github/scanoss/engine",
    "requirement": ">=5.0.0",
    "version": "5.0.0",
    "cpes": ["cpe:2.3:a:scanoss:engine:1.0.0:*:*:*:*:*:*:*"]
  },
  "status": {
    "status": "SUCCESS",
    "message": "CPEs Successfully retrieved"
  }
}
```

## ComponentsCpes

Get CPE identifiers for multiple software components in a single request.

### HTTP Request Example

```bash theme={null}
curl -X POST 'https://api.scanoss.com/v2/vulnerabilities/cpes/components' \
  -H 'Content-Type: application/json' \
  -H "X-Api-Key: $SC_API_KEY" \
  -d '{
    "components": [
      {"purl": "pkg:github/scanoss/engine", "requirement": ">=5.0.0"},
      {"purl": "pkg:github/scanoss/scanoss.py", "requirement": "~1.30.0"}
    ]
  }' | jq
```

## ComponentVulnerabilities

Get known vulnerabilities for a software component, including CVE details, severity, and scoring data.

### HTTP Request Example

```bash theme={null}
curl -X GET 'https://api.scanoss.com/v2/vulnerabilities/component?purl=pkg:github/scanoss/engine&requirement=>=5.0.0' \
  -H "X-Api-Key: $SC_API_KEY" | jq
```

### Response Format

The method returns comprehensive vulnerability information including:

* `purl`: the requested component
* `vulnerabilities`: List of known vulnerabilities affecting the component
* `version`: Shows the specific version that was analyzed
* `requirement`: Echoes the client's version constraint from the request

Each vulnerability object contains:

* CVE identifier and reference URL
* Severity classification and CVSS information
* Publication and modification dates
* Summary description
* Source database information
* CVSS array with detailed scoring information (vector, score, and severity)
* Exploit Prediction Scoring System (EPSS) data (probability, percentile)

#### CVSS Information

The `cvss` field is an array of CVSS (Common Vulnerability Scoring System) objects, allowing for multiple CVSS versions or sources. Each CVSS object contains:

* `cvss`: The CVSS vector string (e.g., "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H")
* `cvss_score`: The numerical CVSS score (0.0 to 10.0)
* `cvss_severity`: The severity rating based on the score ("None", "Low", "Medium", "High", "Critical")

### Response Examples

#### Component with Vulnerabilities

```json theme={null}
{
  "component": {
    "purl": "pkg:github/scanoss/engine",
    "requirement": ">=5.0.0",
    "version": "5.0.0",
    "vulnerabilities": [
      {
        "id": "CVE-2024-12345",
        "cve": "CVE-2024-12345",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12345",
        "summary": "Buffer overflow vulnerability in input processing",
        "severity": "High",
        "published": "2024-01-15T10:30:00Z",
        "modified": "2024-01-16T14:20:00Z",
        "source": "NVD",
        "cvss": [
          {
            "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "cvss_score": 7.5,
            "cvss_severity": "High"
          }
        ],
        "epss": {
          "probability": 0.00053,
          "percentile": 0.16477
        }
      }
    ]
  },
  "status": {
    "status": "SUCCESS",
    "message": "Vulnerabilities Successfully retrieved"
  }
}
```

#### Component with No Known Vulnerabilities

```json theme={null}
{
  "component": {
    "purl": "pkg:github/scanoss/scanoss.py",
    "requirement": ">1.30.0",
    "version": "1.31.0",
    "vulnerabilities": []
  },
  "status": {
    "status": "SUCCESS",
    "message": "Vulnerabilities Successfully retrieved"
  }
}
```

## ComponentsVulnerabilities

Get known vulnerabilities for multiple software components in a single request.

### HTTP Request Example

```bash theme={null}
curl -X POST 'https://api.scanoss.com/v2/vulnerabilities/components' \
  -H 'Content-Type: application/json' \
  -H "X-Api-Key: $SC_API_KEY" \
  -d '{
    "components": [
      {"purl": "pkg:github/scanoss/engine", "requirement": ">=5.0.0"},
      {"purl": "pkg:github/scanoss/scanoss.py", "requirement": "~1.30.0"}
    ]
  }' | jq
```