List Vulnerable Packages

Description: Retrieves a list of vulnerable packages, with options to filter the results based on various criteria such as package name, visibility, token role, and remediation status.

Note that because sometimes a new vulnerability comes out after a sealed version already exists, a newer sealed version is released.

For example [email protected] had two vulnerabilities that were sealed in [email protected]. Another vulnerability was then discovered, which required the release of [email protected]. In that case, if [email protected] is being used by the tenant, since that package contains an open unpatched vulnerability, it will be returned by this endpoint.

Path: https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable

Method: GET

Authentication: See detailed explanation here.

Request Parameters

This endpoint accepts the following optional query parameters to filter the results:

Parameter Name

Type

Description

Accepted Values

package_name_contains

string

Filter packages that have this string in their name.

Any string

is_hidden

boolean

Filter packages that are hidden (true) or visible (false).

true, false

access_token_role

string

Filter packages according to the token used to detect them.

Production, Development

fix_availability

string

Filter packages by their remediation state.

sealed, seal_available, unfixable, fix_in_preparation, generate_fix

Details for fix_availability values:

sealed: The vulnerable package was effectively remediated by using a safer sealed version.
seal_available: The vulnerable package was detected, and a safer sealed version is available for use.
unfixable: The vulnerable package was detected; however, a sealed version is unavailable and cannot be generated due to technical reasons.
fix_in_preparation: The vulnerable package was detected, and a sealed version is now under development.
generate_fix: The vulnerable package was detected; a sealed version is currently unavailable, but you can request one.

Response

The API returns a paginated JSON array of objects, where each object represents a vulnerable package matching the applied filters.

Response Structure:

JSON

[
  {
    "package_name": "string",
    "package_version": "string",
    "ecosystem": "string",
    "project_name": "string",
    "open_vulnerabilities_in_original_package": [
      {
        "CVE": "string",
        "score": "float"
      }
    ],
    "fix_availability": "string",
    "replaced_by_sealed_version": "string",
    "open_vulnerabilities_in_sealed_version": [
      {
        "CVE": "string",
        "score": "float"
      }
    ],
    "sealed_vulnerabilities_in_sealed_version": [
      {
        "CVE": "string",
        "score": "float"
      }
    ],
    "last_seen": "string",
    "access_token_role": "string",
    "is_hidden": "boolean"
  }
]

Response Fields:

Field Name

Type

Description

package_name

string

The name of the package.

package_version

string

The version of the package.

ecosystem

string

The ecosystem (e.g., npm, PyPI, Maven) of the package.

project_name

string

The name of the project where the package was detected.

open_vulnerabilities_in_original_package

array of vulnerability objects

A list of vulnerabilities that are open in the original vulnerable package.

CVE

string

Vulnerability identifier (e.g., CVE-2023-1234).

score

float

Vulnerability risk score.

fix_availability

string

The remediation state of the vulnerable package. See accepted values in the Request Parameters section for detailed descriptions.

replaced_by_sealed_version

string

The version of the sealed package that is currently being used as a replacement (if fix_availability is sealed, null otherwise).

open_vulnerabilities_in_sealed_version

array of vulnerability objects

A list of vulnerabilities that are still open in the sealed version currently being used (a safer sealed version might be available).

sealed_vulnerabilities_in_sealed_version

array of vulnerability objects

A list of vulnerabilities that were patched (sealed) in the sealed version currently being used.

last_seen

string

The date and time (ISO 8601 format) when the vulnerable package was last detected.

access_token_role

string

The type of token (Production or Development) used to detect the vulnerable package.

is_hidden

boolean

Indicates whether the vulnerable package is hidden (true) or visible (false).

The vulnerability object is composed of two fields:

Field Name

Type

Description

CVE

string

Vulnerability identifier (e.g., CVE-2023-1234).

Note that if there is no public CVE identifier, then a GHSA identifier. If there's neither, then a Snyk ID.

score

float

Vulnerability risk score. Can be null, in which case the vulnerability is rated as Low severity.

Example Requests and Responses

1. Get all vulnerable packages:

Request (cURL):

Bash

curl -X GET \
  'https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN'

Example Response (Truncated):

JSON

[
  {
    "package_name": "lodash",
    "package_version": "4.17.21",
    "ecosystem": "npm",
    "project_name": "MyWebApp",
    "open_vulnerabilities_in_original_package": [
      {
        "CVE": "CVE-2021-23336",
        "score": 7.5
      }
    ],
    "fix_availability": "seal_available",
    "replaced_by_sealed_version": null,
    "open_vulnerabilities_in_sealed_version": [],
    "sealed_vulnerabilities_in_sealed_version": [],
    "last_seen": "2025-05-10T14:30:00Z",
    "access_token_role": "Production",
    "is_hidden": false
  },
  {
    "package_name": "spring-core",
    "package_version": "5.3.2",
    "ecosystem": "maven",
    "project_name": "InternalService",
    "open_vulnerabilities_in_original_package": [
      {
        "CVE": "CVE-2022-22965",
        "score": 9.8
      }
    ],
    "fix_availability": "unfixable",
    "replaced_by_sealed_version": null,
    "open_vulnerabilities_in_sealed_version": [],
    "sealed_vulnerabilities_in_sealed_version": [],
    "last_seen": "2025-05-09T10:00:00Z",
    "access_token_role": "Development",
    "is_hidden": false
  }
]

2. Filter packages by name and fix availability:

Request (cURL):

Bash

curl -X GET \
  'https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable?package_name_contains=spring&fix_availability=sealed' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN'

Example Response:

JSON

[
  {
    "package_name": "spring-webflux",
    "package_version": "5.3.2",
    "ecosystem": "maven",
    "project_name": "UserFacingApp",
    "open_vulnerabilities_in_original_package": [
      {
        "CVE": "CVE-2021-22096",
        "score": 7.0
      }
    ],
    "fix_availability": "sealed",
    "replaced_by_sealed_version": "spring-webflux-sealed-5.3.2-1",
    "open_vulnerabilities_in_sealed_version": [],
    "sealed_vulnerabilities_in_sealed_version": [
      {
        "CVE": "CVE-2021-22096",
        "score": 7.0
      }
    ],
    "last_seen": "2025-05-08T11:45:00Z",
    "access_token_role": "Production",
    "is_hidden": false
  }
]

PreviousAPIs NextFAQ

Last updated 4 months ago