List Vulnerable Packages
Description: Retrieves a list of vulnerable packages, with options to filter the results based on various criteria such as package name, visibility, token role, and remediation status.
Note that because sometimes a new vulnerability comes out after a sealed version already exists, a newer sealed version is released.
For example [email protected] had two vulnerabilities that were sealed in [email protected]. Another vulnerability was then discovered, which required the release of [email protected]. In that case, if [email protected] is being used by the tenant, since that package contains an open unpatched vulnerability, it will be returned by this endpoint.
Path: https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable
Method: GET
Authentication: See detailed explanation here.
Okay, this is excellent detail for a single endpoint. I will format this into a standard, user-friendly API documentation style.
Request Parameters
This endpoint accepts the following optional query parameters to filter the results:
package_name_contains
string
Filter packages that have this string in their name.
Any string
is_hidden
boolean
Filter packages that are hidden (true) or visible (false).
true, false
access_token_role
string
Filter packages according to the token used to detect them.
Production, Development
fix_availability
string
Filter packages by their remediation state.
sealed, seal_available, unfixable, fix_in_preparation, generate_fix
Details for fix_availability values:
sealed: The vulnerable package was effectively remediated by using a safer sealed version.seal_available: The vulnerable package was detected, and a safer sealed version is available for use.unfixable: The vulnerable package was detected; however, a sealed version is unavailable and cannot be generated due to technical reasons.fix_in_preparation: The vulnerable package was detected, and a sealed version is now under development.generate_fix: The vulnerable package was detected; a sealed version is currently unavailable, but you can request one.
Response
The API returns a JSON array of objects, where each object represents a vulnerable package matching the applied filters.
Response Structure:
JSON
[
{
"package_name": "string",
"package_version": "string",
"ecosystem": "string",
"project_name": "string",
"open_vulnerabilities_in_original_package": [
{
"CVE": "string",
"score": "float"
}
],
"fix_availability": "string",
"replaced_by_sealed_version": "string",
"open_vulnerabilities_in_sealed_version": [
{
"CVE": "string",
"score": "float"
}
],
"sealed_vulnerabilities_in_sealed_version": [
{
"CVE": "string",
"score": "float"
}
],
"last_seen": "string",
"access_token_role": "string",
"is_hidden": "boolean"
}
]Response Fields:
package_name
string
The name of the package.
package_version
string
The version of the package.
ecosystem
string
The ecosystem (e.g., npm, PyPI, Maven) of the package.
project_name
string
The name of the project where the package was detected.
open_vulnerabilities_in_original_package
array of vulnerability objects
A list of vulnerabilities that are still open in the original vulnerable package.
CVE
string
Vulnerability identifier (e.g., CVE-2023-1234).
score
float
Vulnerability risk score.
fix_availability
string
The remediation state of the vulnerable package. See accepted values in the Request Parameters section for detailed descriptions.
replaced_by_sealed_version
string
The version of the sealed package that is currently being used as a replacement (if fix_availability is sealed).
open_vulnerabilities_in_sealed_version
array of vulnerability objects
A list of vulnerabilities that are still open in the sealed version currently being used (a safer sealed version might be available).
sealed_vulnerabilities_in_sealed_version
array of vulnerability objects
A list of vulnerabilities that were patched (sealed) in the sealed version currently being used.
last_seen
string
The date and time (ISO 8601 format) when the vulnerable package was last detected.
access_token_role
string
The type of token (Production or Development) used to detect the vulnerable package.
is_hidden
boolean
Indicates whether the vulnerable package is hidden (true) or visible (false).
Example Requests and Responses
1. Get all vulnerable packages:
Request (cURL):
Bash
curl -X GET \
'https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable' \
-H 'Authorization: Bearer YOUR_ACCESS_TOKEN'Example Response (Truncated):
JSON
[
{
"package_name": "lodash",
"package_version": "4.17.21",
"ecosystem": "npm",
"project_name": "MyWebApp",
"open_vulnerabilities_in_original_package": [
{
"CVE": "CVE-2021-23336",
"score": 7.5
}
],
"fix_availability": "seal_available",
"replaced_by_sealed_version": null,
"open_vulnerabilities_in_sealed_version": [],
"sealed_vulnerabilities_in_sealed_version": [],
"last_seen": "2025-05-10T14:30:00Z",
"access_token_role": "Production",
"is_hidden": false
},
{
"package_name": "spring-core",
"package_version": "5.3.2",
"ecosystem": "maven",
"project_name": "InternalService",
"open_vulnerabilities_in_original_package": [
{
"CVE": "CVE-2022-22965",
"score": 9.8
}
],
"fix_availability": "unfixable",
"replaced_by_sealed_version": null,
"open_vulnerabilities_in_sealed_version": [],
"sealed_vulnerabilities_in_sealed_version": [],
"last_seen": "2025-05-09T10:00:00Z",
"access_token_role": "Development",
"is_hidden": false
}
]2. Filter packages by name and fix availability:
Request (cURL):
Bash
curl -X GET \
'https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable?package_name_contains=spring&fix_availability=sealed' \
-H 'Authorization: Bearer YOUR_ACCESS_TOKEN'Example Response:
JSON
[
{
"package_name": "spring-webflux",
"package_version": "5.3.2",
"ecosystem": "maven",
"project_name": "UserFacingApp",
"open_vulnerabilities_in_original_package": [
{
"CVE": "CVE-2021-22096",
"score": 7.0
}
],
"fix_availability": "sealed",
"replaced_by_sealed_version": "spring-webflux-sealed-5.3.2-1",
"open_vulnerabilities_in_sealed_version": [],
"sealed_vulnerabilities_in_sealed_version": [
{
"CVE": "CVE-2021-22096",
"score": 7.0
}
],
"last_seen": "2025-05-08T11:45:00Z",
"access_token_role": "Production",
"is_hidden": false
}
]Last updated