> ## Documentation Index > Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt > Use this file to discover all available pages before exploring further. # SCANOSS-PY > Detect and analyse security vulnerabilities in open source components with the [SCANOSS Python CLI](https://github.com/scanoss/scanoss.py). ## Sample Workflow ### Scan for Components First, scan your codebase to detect all related components: ```bash theme={null} # Scan directory with dependency detection scanoss-py scan /path/to/your/code \ --dependencies \ --output results.json \ --key "$SCANOSS_API_KEY" ``` ### Extract Component PURLs Extract Package URLs (PURLs) from the scan results for further analysis: ```bash theme={null} # Extract all PURLs with versions jq -r '.[].[] | select(.purl != null) | .purl[] as $purl | "\($purl)@\(.version)"' results.json # Extract unique PURLs jq -r '.[].[] | select(.purl != null) | .purl[]' results.json | sort -u # Save PURLs to file for batch processing jq -r '.[].[] | select(.purl != null) | .purl[] as $purl | "\($purl)@\(.version)"' results.json > purls.txt ``` **Sample Output:** ```bash theme={null} pkg:npm/lodash@4.17.20 ``` ## Query Vulnerabilities ### Query Single Component Query vulnerabilities for a single component using its PURL: ```bash theme={null} scanoss-py comp vulns \ --purl "pkg:npm/lodash@4.17.20" \ --key "$SCANOSS_API_KEY" ``` **Sample Output:** ```json theme={null} { "components": [ { "purl": "pkg:npm/lodash", "requirement": "4.17.20", "version": "4.17.20", "vulnerabilities": [ { "cve": "CVE-2020-28500", "id": "CVE-2020-28500", "modified": "2024-11-21", "published": "2021-02-15", "severity": "MEDIUM", "source": "NVD", "summary": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via ...", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500" }, { "cve": "CVE-2021-23337", "id": "CVE-2021-23337", "modified": "2024-11-21", "published": "2021-02-15", "severity": "HIGH", "source": "NVD", "summary": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337" }, { "cve": "CVE-2020-28500", "cvss": [ { "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "cvss_score": 5.3, "cvss_severity": "MEDIUM" } ], "id": "GHSA-29mw-wpgm-hmr9", "modified": "2025-09-29", "published": "2022-01-06", "severity": "MODERATE", "source": "OSV", "summary": "Regular Expression Denial of Service (ReDoS) in lodash", "url": "https://osv.dev/vulnerability/CVE-2020-28500" }, { "cve": "CVE-2021-23337", "cvss": [ { "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "cvss_score": 7.2, "cvss_severity": "HIGH" } ], "id": "GHSA-35jh-r3h4-6jhm", "modified": "2025-08-12", "published": "2021-05-06", "severity": "HIGH", "source": "OSV", "summary": "Command Injection in lodash", "url": "https://osv.dev/vulnerability/CVE-2021-23337" } ] } ], "status": { "message": "Success", "status": "SUCCESS" } } ``` ### Query Multiple Components Query multiple PURLs using an input file: ```bash theme={null} # Create PURL input file cat > purl-list.json << 'EOF' { "components": [ { "purl": "pkg:npm/lodash@4.17.20", "requirement": "4.17.20" }, { "purl": "pkg:pypi/requests@2.25.0", "requirement": "2.25.0" }, { "purl": "pkg:maven/org.apache.commons/commons-collections4@4.0", "requirement": "4.0" } ] } EOF ``` ```bash theme={null} # Query all components scanoss-py comp vulns \ -i purl-list.json \ --key "$SCANOSS_API_KEY" ``` **Sample output:** ```json theme={null} { "components": [ { "purl": "pkg:npm/lodash@4.17.20", "requirement": "4.17.20", "version": "4.17.20", "vulnerabilities": [ { "cve": "CVE-2020-28500", "id": "CVE-2020-28500", "modified": "2024-11-21", "published": "2021-02-15", "severity": "MEDIUM", "source": "NVD", "summary": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via ...", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500" }, { "cve": "CVE-2021-23337", "id": "CVE-2021-23337", "modified": "2024-11-21", "published": "2021-02-15", "severity": "HIGH", "source": "NVD", "summary": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337" } ] }, { "purl": "pkg:pypi/requests@2.25.0", "requirement": "2.25.0", "version": "2.25.0", "vulnerabilities": [ { "cve": "CVE-2023-32681", "id": "CVE-2023-32681", "modified": "2025-02-13", "published": "2023-05-26", "severity": "MEDIUM", "source": "NVD", "summary": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization head...", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681" } ] }, { "purl": "pkg:maven/org.apache.commons/commons-collections4@4.0", "requirement": "4.0", "version": "4.0", "vulnerabilities": [ { "cve": "CVE-2015-6420", "id": "CVE-2015-6420", "modified": "2025-04-12", "published": "2015-12-15", "severity": "HIGH", "source": "NVD", "summary": "Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and C...", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6420" } ] }, {} ], "status": { "message": "Success", "status": "SUCCESS" } } ``` ## Query Component Status The `comp status` command returns the development lifecycle status for one or more components — useful for identifying unmaintained or deprecated dependencies before they become a security risk. ### Query Single Component ```bash theme={null} scanoss-py comp status \ --purl "pkg:npm/lodash@4.17.20" \ --key "$SCANOSS_API_KEY" ``` **Sample Output:** ```json theme={null} { "components": [ { "component_status": { "first_indexed_date": "2025-12-16", "last_indexed_date": "2026-04-17", "repository_status": "active", "status": "active", "status_change_date": "" }, "name": "lodash", "purl": "pkg:npm/lodash@4.17.20", "requirement": "", "version_status": { "indexed_date": "2022-09-21T00:00:00Z", "repository_status": "active", "status": "active", "status_change_date": "", "version": "4.17.20" } } ], "status": { "message": "Success", "server": { "version": "v0.8.0" }, "status": "SUCCESS" } } ```