List Vulnerable Packages
Last updated
Last updated
Description: Retrieves a list of vulnerable packages, with options to filter the results based on various criteria such as package name, visibility, token role, and remediation status.
Note that because sometimes a new vulnerability comes out after a sealed version already exists, a newer sealed version is released.
For example ejs@2.7.4 had two vulnerabilities that were sealed in ejs@2.7.4-sp1. Another vulnerability was then discovered, which required the release of ejs@2.7.4-sp2. In that case, if ejs@2.7.4-sp1 is being used by the tenant, since that package contains an open unpatched vulnerability, it will be returned by this endpoint.
Path:
Method: GET
Authentication: See detailed explanation .
Okay, this is excellent detail for a single endpoint. I will format this into a standard, user-friendly API documentation style.
This endpoint accepts the following optional query parameters to filter the results:
package_name_contains
string
Filter packages that have this string in their name.
Any string
is_hidden
boolean
Filter packages that are hidden (true) or visible (false).
true, false
access_token_role
string
Filter packages according to the token used to detect them.
Production, Development
fix_availability
string
Filter packages by their remediation state.
sealed, seal_available, unfixable, fix_in_preparation, generate_fix
Details for fix_availability values:
sealed: The vulnerable package was effectively remediated by using a safer sealed version.
seal_available: The vulnerable package was detected, and a safer sealed version is available for use.
unfixable: The vulnerable package was detected; however, a sealed version is unavailable and cannot be generated due to technical reasons.
fix_in_preparation: The vulnerable package was detected, and a sealed version is now under development.
generate_fix: The vulnerable package was detected; a sealed version is currently unavailable, but you can request one.
The API returns a JSON array of objects, where each object represents a vulnerable package matching the applied filters.
Response Structure:
JSON
Response Fields:
package_name
string
The name of the package.
package_version
string
The version of the package.
ecosystem
string
The ecosystem (e.g., npm, PyPI, Maven) of the package.
project_name
string
The name of the project where the package was detected.
open_vulnerabilities_in_original_package
array of vulnerability objects
A list of vulnerabilities that are still open in the original vulnerable package.
CVE
string
Vulnerability identifier (e.g., CVE-2023-1234).
score
float
Vulnerability risk score.
fix_availability
string
The remediation state of the vulnerable package. See accepted values in the Request Parameters section for detailed descriptions.
replaced_by_sealed_version
string
The version of the sealed package that is currently being used as a replacement (if fix_availability is sealed).
open_vulnerabilities_in_sealed_version
array of vulnerability objects
A list of vulnerabilities that are still open in the sealed version currently being used (a safer sealed version might be available).
sealed_vulnerabilities_in_sealed_version
array of vulnerability objects
A list of vulnerabilities that were patched (sealed) in the sealed version currently being used.
last_seen
string
The date and time (ISO 8601 format) when the vulnerable package was last detected.
access_token_role
string
The type of token (Production or Development) used to detect the vulnerable package.
is_hidden
boolean
Indicates whether the vulnerable package is hidden (true) or visible (false).
1. Get all vulnerable packages:
Request (cURL):
Bash
Example Response (Truncated):
JSON
2. Filter packages by name and fix availability:
Request (cURL):
Bash
Example Response:
JSON