Skip to main content

About the Veracode Vulnerability Database

You can use the Veracode Vulnerability Database as a tool to determine if a library is safe prior to adding it to your code. It also provides important details about a library, such as the license in use and insight into specific vulnerabilities.

The Veracode Vulnerability Database catalogs all the open-source libraries along with their associated vulnerabilities from these resources:

Searching the vulnerability database

You can use the following keywords filter your search results in the Veracode Vulnerability Database:

KeywordUsagePossible ValuesExample
typeRestricts results to either libraries or vulnerabilitieslibrary, vulnerabilitytype: library
languageRestricts results to the specified languagejava, ruby, python, objectivec, go,phplanguage: go
releasedFilters results to latest library versions or vulnerabilities released since the specified dateyyyy-mm-ddreleased: 2017-05-25
sourceRestricts results to libraries catalogued from the specified sourcemaven, pypi, gem, npm, bower, cocoapods, packagistsource: bower
licenseRestricts results to libraries with the specified licenseapache, mit, bsd, gpllicense: gpl
severityRestricts results to vulnerabilities with a severity between the specified range. Requires type: vulnerability.Two numbers from 0.0 to 10 separated by two periodsseverity: 1.2..9.9
vulnerableRestricts results to libraries with vulnerabilities associated with themtruevulnerable: true
vulnerable_methodRestricts results to vulnerabilities with vulnerable methods associated with themtruevulnerable_method: true
enhancedRestricts results to vulnerabilities with full write-up detailstrueenhanced: true

Vulnerability details

Veracode Software Composition Analysis provides detailed information for each vulnerability in the database.


The Summary area provides a breadth of information related to the selected vulnerability, including:

  • Technical overview: a paragraph describing the vulnerability.

  • Severity CVSS score: relative severity of the vulnerability. A detailed explanation of the CVSS score is available in the CVSS guide.

  • Library Vulnerability Information: the name of the library and a dropdown menu with one or more of the vulnerable version ranges for the library, along with the fixed and latest versions.

Technical info

For Enhanced artifacts, this area provides the full writeup describing the vulnerability with analysis of the issue.

Risk score

This area provides a detailed breakdown of the CVSS score, including the scores for each CVSS vector.

Library fix info

This area provides complete information regarding how to fix a library that contains a vulnerability. You can view the affected library version ranges here in addition to safe versions to use and the code for updating to the safe version. In some cases, multiple libraries are associated with the same vulnerability. This area includes those libraries as well.


This area provides external references related to the vulnerability, including blog posts, the GitHub pull request for the fix, and other links with relevant information.

Library signatures

This area allows users to view the coordinates corresponding to the vulnerable libraries that Veracode SCA uses to identify the vulnerability.

Vulnerable methods

You can view the actual vulnerable part of the library. Even if a vulnerable library is in use, Veracode SCA can identify if a vulnerable method is in use. If the specific vulnerable method is not in use, the project might not be subject to a potential exploit.

Library details

If you want to view details for a library and all of its versions, select a library from the database search.


This page shows the history of a given library, organized by either the vulnerability severities or by the version released. With each list of library vulnerabilities and versions, there is a search box for narrowing down the list of vulnerabilities or versions.


You can use the Versions page to see vulnerability, license, and library evidence information sorted by library version. You can filter the list to only show library versions that include vulnerabilities.