Manage scan results
After scanning your repos with SCA Agent-based Scan, you can review the scan results in the Veracode Platform or from the CLI. The scan results are organized into the following categories.
- Issues: includes out-of-date libraries, license violations, and vulnerabilities associated with a specific version of a library within a repository.
- Vulnerabilities: represents the set of unique vulnerabilities across a project. If multiple libraries in a given project are associated with the same vulnerability, the vulnerability only appears once in this list.
- Libraries: includes each open source library Veracode SCA has identified within a code project.
- Licenses: displays the software license information associated with each open-source library in use.
After viewing the scan results, you can resolve the vulnerabilities using the instructions in the Veracode Platform or the CLI and validate the fixes.
You can navigate between vulnerabilities, open-source libraries, and licenses in your project to learn more about the vulnerabilities in your code.
You can select an issue to view reliable and actionable insights, including vulnerable methods, recommended fixes, and dependency graphs.
Review issues
Issues are the essential components of SCA Agent-based Scan. You use issues to track and take action on vulnerabilities, out-of-date libraries, and software licensing concerns for open-source libraries in a specific software project. You can also import issues into ticketing systems.
Issues are unique to a specific project as well as the library and corresponding version. If you scan multiple tags or branches in the same project, the results might contain duplicate issues. See How branches and tags affect issues.
If a library is updated to a different version that also includes the same vulnerability, Veracode SCA creates a new issue that references the new version. The new issue automatically replaces the old issue because the older version is no longer in use.
View issue details
Because issues uniquely relate to a specific library and version, the details for an issue make it much easier to fix.
For information on viewing issue details with the SCA Agent REST API, see the SCA Agent REST API.
To complete this task:
- In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
- Select Agent-Based Scan.
- Select the workspace for which you want to view issues.
- If you want to view issues for an individual project, Select Projects, then select a project.
- In the list of issues, select the Issue ID link of the issue for which you want to see details.
The details of the issue appear. They can include library fix information for vulnerabilities, license details for license violations, and update information for out-of-date libraries.
Issues are assigned a severity level that helps you prioritize your actions for remediation. The severity level of vulnerabilities ranges from 1 to 10. You can also filter and customize the view to prioritize the most critical issues. If a scan identifies a malicious library in your code, it assigns a severity level of 10, signaling that the library poses a significant threat to your codebase.
Ignore issues
SCA Agent-based Scan provides accurate, up-to-date vulnerability information, but not all issues apply to your code. For this reason, Veracode SCA allows you to suppress issues if you want to prevent them from causing your build pipeline to fail.
Ignoring issues only impacts your pipeline if you configure your SCA rules to generate an error instead of a warning, and you need to make exceptions that allow you to bypass the error. Ignoring an issue is not the same as closing an issue.
If you ignore an issue, the issue remains ignored in future scans of the project, even if the issue severity changes or a subsequent scan finds a vulnerable method.
For projects linked to application profiles, ignoring an issue has no impact on the status of any mitigation actions for the application. A reviewer still needs to review proposed mitigations in the Veracode Platform or with the Veracode APIs.
To complete this task:
- In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
- Select Agent-Based Scan.
- Select a workspace.
- If you want to view issues for an individual project, Select Projects, then select a project.
- Select the checkbox next to the issues you want to ignore.
- Select Actions > Ignore.
- Select Ignore Forever or Ignore Temporarily.
- If you select Ignore Temporarily, select a date. Veracode will ignore the issue until 11:59 PM UTC on the selected date.
- Enter a comment explaining why you are ignoring the issues.
- Select Confirm ignore issue.
- Select Finish.
Results:
Anyone who has access to the workspace can view the comment.
Unignore issues
If you mistakenly ignored an issue or decide that an issue should now be tracked, you can unignore it.
To complete this task:
- In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
- Select Agent-Based Scan.
- Select a workspace.
- If you want to view issues for an individual project, Select Projects, then select a project.
- To view the list of ignored issues, change the Active issues filter to Ignored.
- Select the ignored issues.
- Select Actions > Unignore.
- Enter a comment explaining why you are unignoring the issues.
- Select Confirm unignore issue.
- Select Finish.
Results:
Anyone who has access to the workspace can view the comment.
Add comments to issues
To complete this task:
- In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
- Select Agent-Based Scan.
- Select a workspace.
- If you want to view issues for an individual project, Select Projects, then select a project.
- Select the issue ID.
- Select the Comment action in the top-right corner of the issue detail view.
- Enter your comment in the text box.
- Select Finish.
Results:
The comments now appear in the issue history list.
View comments on issues
A red dot next to the Comment action on the Issue page indicates that there are comments on an issue.
To complete this task:
- In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
- Select Agent-Based Scan.
- Select a workspace.
- If you want to view issues for an individual project, Select Projects, then select a project.
- Select the issue ID.
- Select the Show History action in the top right-hand corner of the issue detail view.
Review vulnerabilities
Vulnerabilities represent the set of security concerns across a project or workspace. Viewing vulnerability details allows you to view information across all versions of a specific vulnerability, such as libraries in which the agent-based scan has found it.
Unlike issues of type Vulnerability, Veracode SCA counts each vulnerability only once within the context of a workspace, even if the same library and corresponding vulnerabilities exist across multiple projects. Also, you cannot ignore vulnerabilities, which means the number of vulnerabilities could be greater than the number of issues of type Vulnerability.
Veracode uses multiple data sources for vulnerabilities: Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD), and Veracode vulnerabilities (SRCCLR) from the Veracode Vulnerability Database.
To find vulnerabilities outside the NVD, Veracode researchers curate and validate public database entries and track developer lists, code commits and releases, discussion forums, underground bulletin boards, and social chatter. The technology uses machine learning, extracting patterns from known vulnerabilities and applying new techniques and theories. SCA Agent-based Scan uses clone verification to validate versions are patched as intended.
Vulnerability risk levels
The following table describes the risk level of vulnerabilities in open-source libraries. To determine the risk level of the libraries in your project, Veracode SCA uses the Common Vulnerability Scoring System (CVSS) v3.0 rating assigned to the Common Vulnerabilities and Exposures (CVE) ID for a given vulnerability.
| Vulnerability risk level | CVSS score range | Description |
|---|---|---|
 Critical | 9.0-10.0 | A very serious weakness that is an easy target for an attacker to exploit. Fix this vulnerability immediately to avoid potential attacks. |
 High | 7.0-8.9 | A serious weakness that is an easy target for an attacker to exploit. Fix this vulnerability immediately to avoid potential attacks. |
 Medium | 4.0-6.9 | A moderate weakness that might be an easy target for an attacker to exploit. Fix this vulnerability after fixing all Critical and High vulnerabilities. |
 Low | 0.1-3.9 | A low weakness that an attacker might exploit. Consider fixing this vulnerability after fixing all Critical, High, and Medium vulnerabilities. |
Vulnerability data sources
The Veracode Platform may list two different data sources in the Vulnerability column for vulnerabilities: a CVE ID indicates that the vulnerability came from the NVD and a SRCCLR ID indicates that the vulnerability came from the Veracode Vulnerability Database.
To complete this task:
- In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
- Select Agent-Based Scan.
- Select a workspace.
- If you want to view vulnerabilities for an individual project, Projects, then select a project.
- Select Vulnerabilities.
- In the list of vulnerabilities, select the Vulnerability link for a given issue. The Veracode Vulnerability Database opens in a browser tab.
- View the vulnerability details in the left navigation menu.
About exploitability information
Veracode SCA provides the following exploitability information that you can combine with vulnerability severity ratings to prioritize what to fix first.
- Exploit Prediction Scoring System (EPSS) attempts to calculate the probability that a hacker will exploit a vulnerability.
- Exploit Observed determines whether a hacker has already exploited a vulnerability or the vulnerable code is public.
EPSS
First.org, the organization that created the Common Vulnerability Scoring System (CVSS), developed the Exploit Prediction Scoring System (EPSS). EPSS has two components: probability and percentile.
- EPSS probability: the EPSS model produces an
epss_scorebetween 0 and 1 (0 and 100%) that estimates the probability that a software vulnerability will be exploited in the next 30 days. The higher the score, the greater the probability that a vulnerability will be exploited. - EPSS percentile: the EPSS model also provides the
epss_percentileof the current EPSS score, which shows the percentage of all vulnerabilities with the same or lower EPSS scores.
EPSS data is updated daily. Only vulnerabilities with an assigned CVE number published by cve.org have an EPSS score. For example, SRCCLR-SID-1538 has no EPSS score because it does not have a CVE number, and CVE-2014-1862 has no EPSS score because its status is reserved, not published.
Exploit observed
When an exploit is observed in the wild or when proof of concept (POC) code becomes publicly available, the exploit_observed field is true and the exploit_source field displays the source of this information. Veracode’s sources are the Exploit-DB from OffSec and the Known Exploited Vulnerabilities (KEV) catalog from the Cybersecurity & Infrastructure Security Agency (CISA).
Review libraries
Libraries represent each open-source library that SCA agents identified within a code project during scanning. Veracode SCA maintains a database based on data from the following open-source library repositories.
- Maven Central
- PyPi
- Ruby Gems
- NPM
- CocoaPods
- Bower
- Packagist
- GitHub (Go)
- NuGet
- Google Maven
- Spring Maven
- Cloudera Maven
- Atlassian Maven
View library details
Viewing library details allows you to collect a wide variety of information, including vulnerable version ranges for the library, other libraries that could be subject to particular vulnerabilities, and resources for finding more information.
You can also perform this task with the SCA REST API.
To complete this task:
- Open the Veracode Platform to a workspace or project page and select Libraries.
- Select a library name in the Library column. The Veracode Vulnerability Database opens in a new browser tab with details of the vulnerabilities associated with the library.
View unmatched libraries
You can filter your library list to view the libraries found in your project that the SCA scan engine does not recognize.
When scanning a project, Veracode SCA identifies each library that it recognizes. This identification allows the agent-based scan to determine and display the licenses, vulnerabilities, and custom rules associated with the library. Veracode SCA may not recognize libraries if they are internal, modified, or not available from the sources that the scan tracks.
To view your unmatched libraries from the Library List of your workspace or project, select the Library List dropdown menu and select Unmatched Libraries.
Unmatched libraries do not include licenses, vulnerabilities, or custom rules.
Veracode SCA pulls data for its matched libraries from the following sources:
- Java, Gradle, Ant, and Scala: Maven Central
- Ruby: RubyGems
- JavaScript: Bower and npm
- Python: PyPI
- Go: GitHub
- Objective-C and Swift: CocoaPods
- PHP: Packagist
- .NET: NuGet
Review license risk
Before using third-party, open-source components, we recommend reviewing the license and associated risk to understand the implications of using the component in your application.
Licenses consist of the software license information associated with each open-source library. Veracode Software Composition Analysis maintains license information by staying up-to-date with several open-source library repositories. This information can help you avoid issues relating to copyleft licenses or keep track of the licenses in use across a set of libraries.
Review the Veracode legal disclaimer before acting upon the license information listed in the SCA results for your application.
The License List table for each workspace and project provides details of all the licenses identified in your agent-based scans, including the library in which Veracode Software Composition Analysis found the license and the license risk rating.
| License risk rating | Icon | Risk details |
|---|---|---|
| Low |  | Low-risk licenses are typically permissive licenses that require you to preserve the copyright and license notices, but allow distribution under different terms without disclosing source code. |
| Medium |  | Medium-risk licenses are typically weak copyleft licenses that require you to preserve the copyright and license notices, and require distributors to make the source code of the component and any modifications under the same terms. |
| High |  | High-risk licenses are typically strong copyleft licenses that require you to preserve the copyright and license notices, and require distributors to make the source code of the component and any modifications under the same terms. |
| Non-OSS |  | Non-OSS indicates that this file could be subject to commercial license terms. If so, you should refer to your applicable license agreement with such vendor for additional information. |
| Unrecognized | Unrecognized indicates that no license was found for the component. However, this does not indicate that there is no risk associated with the license. |
When you verify that the vulnerability no longer appears in the scan output, you have fixed the vulnerability, and you can commit your code.
Download reports
You can download a PDF report of your agent-based scan workspace findings that provides vulnerability statistics for your application.
Projects that do not have a default branch set in their project settings do not appear in the PDF report.
To complete this task:
-
In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
-
Select Agent-Based Scan.
-
From the Workspace List page, find the workspace for which you want to download a report.
-
In the Actions column, select download
. The Agent-Based Scan SCA Security Report downloads to your browser as a PDF. -
To navigate directly to different sections of the report, select the titles on the cover page.
- Executive Summary: a high-level summary of your findings by severity and license risk
- Project Summary: information on your scan activity and number of findings by project
- Issues by Project: details on the vulnerabilities in the project
- Veracode Agent-Based Scan Methodology: information on how Veracode conducts security research and determines vulnerability scoring
Export scan results
You can export the results of your agent-based scans as a CSV file. You can filter the results by scan date and by issue type.
To complete this task:
-
In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
-
Select Agent-Based Scan.
-
Select a workspace from the workspace list.
-
From the Scan Date dropdown menu, select the timeframe of scans to include in the results.
noteIf you select All dates or More than 7 days ago, you cannot export the results.
-
From the Issues List dropdown menu, select the issue type to include in the results.
-
Select the download icon
, then select Export to CSV. Your browser downloads the CSV file containing the details of the requested issues.
Example results output
This section describes the JSON output and related commands for the SCA agent.
Single library lookup
Look up the release and vulnerability information found in the Veracode Vulnerability Database for a single library with the agent:
srcclr lookup --type=maven --coord1=net.minidev --coord2=json-smart \
--version=1.3 --json
Returns the following JSON response:
{
"metadata" : {
"requestDate" : "2024-07-11T16:48:09.996+00:00"
},
"records" : [ {
"metadata" : {
"recordType" : "LOOKUP"
},
"graphs" : [ ],
"libraries" : [ {
"name" : "JSON Small and Fast Parser",
"description" : "JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaS",
"author" : null,
"authorUrl" : "https://urielch.github.io/",
"language" : "JAVA",
"coordinateType" : "MAVEN",
"coordinate1" : "net.minidev",
"coordinate2" : "json-smart",
"bugTrackerUrl" : null,
"codeRepoType" : null,
"codeRepoUrl" : "https://github.com/netplex/json-smart-v2",
"latestRelease" : "2.5.1",
"latestReleaseDate" : "2024-03-21T00:00:00.000+00:00",
"recommendedVersion" : "2.4.10",
"versions" : [ {
"version" : "1.3",
"releaseDate" : "2014-08-12T20:18:36.000+00:00",
"sha1" : "1c451cab0b07b527b66b964a427988daf66dd2da",
"sha2" : "5ac5e8bd5c43426399967caf3e7141cc6805e6dd52d5514db526bc07bac20403",
"bytecodeHash" : "9dd8c048e023b944a5e29b7dd57244bbc3717538549af9128c05ce8504927fb0",
"platform" : "",
"licenses" : [ {
"name" : "APACHE20",
"license" : "Apache License 2.0 (Apache-2.0)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "Apache-2.0"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1129?version=1.3"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1129"
}
} ],
"vulnerabilities" : [ {
"disclosureDate" : "2021-02-23T00:00:00.000+00:00",
"cve" : "2021-27568",
"title" : "Denial Of Service (DoS)",
"overview" : "json-smart is vulnerable to denial of service (DoS) attacks. An unhandled NumberFormatException thrown from the function `extractFloat` in `JSONParserBase.java` allows a remote attacker to crash programs or leak sensitive information.\n\n",
"language" : "JAVA",
"vulnerabilityTypes" : [ "Denial of Service" ],
"cvssScore" : 4.3,
"cvss3Score" : 5.9,
"cvssVector" : "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"cvss3Vector" : "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2021-27568",
"epssStatus" : "match found",
"epssScore" : 0.00963,
"epssPercentile" : 0.83442,
"epssScoreDate" : "2024-07-11",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "1.3.2",
"versionRange" : "1.1-1.3.1",
"fixText" : "",
"patch" : "https://github.com/netplex/json-smart-v1/commit/d07cf9fea7d462e54c162d552538c0536b50ca87"
} ],
"_links" : {
"ref" : "/records/0/libraries/0/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/29743"
}
}, {
"disclosureDate" : "2021-04-16T00:00:00.000+00:00",
"cve" : "2021-31684",
"title" : "Denial Of Service (DoS)",
"overview" : "json-smart is vulnerable to denial of service (DoS). An unhandled ArrayIndexOutOfBoundsException thrown from the indexOf function of JSONParserByteArray allows a remote attacker to crash the program or leak confidential information.",
"language" : "JAVA",
"vulnerabilityTypes" : [ "Denial of Service" ],
"cvssScore" : 5.0,
"cvss3Score" : 7.5,
"cvssVector" : "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss3Vector" : "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2021-31684",
"epssStatus" : "match found",
"epssScore" : 0.01111,
"epssPercentile" : 0.84658,
"epssScoreDate" : "2024-07-11",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "2.4.5",
"versionRange" : "1.1-1.3.3",
"fixText" : "",
"patch" : ""
} ],
"_links" : {
"ref" : "/records/0/libraries/0/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/30772"
}
}, {
"disclosureDate" : "2023-03-22T00:00:00.000+00:00",
"cve" : "2023-1370",
"title" : "Denial Of Service (DoS)",
"overview" : "net.minidev, json-smart is vulnerable to Denial Of Service (DoS). The vulnerability exists because there is no nested depth checks for deeply nested JSON arrays or objects, which allows an attacker to crash the application via a malicious array with deeply nested elements.",
"language" : "JAVA",
"vulnerabilityTypes" : [ "Denial of Service" ],
"cvssScore" : 7.8,
"cvss3Score" : 7.5,
"cvssVector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:C)",
"cvss3Vector" : "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2023-1370",
"epssStatus" : "match found",
"epssScore" : 0.00105,
"epssPercentile" : 0.43387,
"epssScoreDate" : "2024-07-11",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "2.4.10",
"versionRange" : "1.0.6.3-2.4.8",
"fixText" : "",
"patch" : "https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a"
} ],
"_links" : {
"ref" : "/records/0/libraries/0/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/39936"
}
} ],
"componentMetrics" : [ {
"JSON Small and Fast Parser" : {
"metricsStatus" : "match found",
"libraryId" : 1129,
"codeRepoUrl" : "https://github.com/netplex/json-smart-v2",
"age" : 2526,
"stagnation" : 34,
"filesChanged" : 1034,
"linesAdded" : 29189,
"linesRemoved" : 12882,
"numCommitsPast12Months" : 52,
"numCommitsPast30Days" : 0,
"numCommitters" : 13,
"numberOfCommits" : 144,
"lastRefresh" : null,
"_links" : {
"ref" : "/records/0/libraries/0"
}
}
} ]
} ]
}
Scan exports
Export the results of a single scan:
srcclr scan --json --url https://github.com/veracode/example-go-modules --component-metrics
The scan command returns this JSON response:
{
"metadata" : {
"requestDate" : "2024-07-11T16:51:22.852+00:00"
},
"records" : [ {
"metadata" : {
"recordType" : "SCAN",
"report" : "https://sca.analysiscenter.veracode.com/teams/Abcdef1/scans/1234567"
},
"graphs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "<undefined>",
"coordinate2" : null,
"version" : "<undefined>",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/simeji/jid",
"coordinate2" : null,
"version" : "v0.7.6",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-runewidth",
"coordinate2" : null,
"version" : "v0.0.4",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/bitly/go-simplejson",
"coordinate2" : null,
"version" : "v0.5.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/pkg/errors",
"coordinate2" : null,
"version" : "v0.8.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/nwidger/jsoncolor",
"coordinate2" : null,
"version" : "HEAD",
"scope" : null,
"platform" : null,
"commitHash" : "75a6de4340e5"
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/fatih/color",
"coordinate2" : null,
"version" : "v1.7.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-colorable",
"coordinate2" : null,
"version" : "v0.0.9",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-isatty",
"coordinate2" : null,
"version" : "v0.0.4",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-isatty",
"coordinate2" : null,
"version" : "v0.0.4",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/nsf/termbox-go",
"coordinate2" : null,
"version" : "HEAD",
"scope" : null,
"platform" : null,
"commitHash" : "60ab7e3d12ed"
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-runewidth",
"coordinate2" : null,
"version" : "v0.0.4",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-querystring",
"coordinate2" : null,
"version" : "v1.0.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "golang.org/x/text",
"coordinate2" : null,
"version" : "v0.3.5",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-github",
"coordinate2" : null,
"version" : "v17.0.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-querystring",
"coordinate2" : null,
"version" : "v1.0.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : null,
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"libraries" : [ {
"name" : "github.com/bitly/go-simplejson",
"description" : "a Go package to interact with arbitrary JSON",
"author" : "bitly",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/bitly/go-simplejson",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/bitly/go-simplejson",
"latestRelease" : "v0.5.1",
"latestReleaseDate" : "2023-06-06T14:49:55.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.5.0",
"releaseDate" : "2015-09-15T16:53:35.000+00:00",
"sha1" : "846c7b6e3e469d6e8febcf9eb619d25be2883413",
"sha2" : "4c9370efdfdcdc906381547a31ae763b73b7b08848b463f29b4528e0c36a67e0",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885486?version=v0.5.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885486"
}
}, {
"name" : "github.com/fatih/color",
"description" : "Color package for Go (golang)",
"author" : "fatih",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/fatih/color",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/fatih/color",
"latestRelease" : "v1.17.0",
"latestReleaseDate" : "2024-04-08T12:08:58.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v1.7.0",
"releaseDate" : "2018-05-15T20:53:03.000+00:00",
"sha1" : "2a069819cb9f959a530d19621020c6b69a0857aa",
"sha2" : "0ea15ffabde9c289b32944b8c360a3b1f96e7864f8e48a99aead3abee91f9de8",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885488?version=v1.7.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885488"
}
}, {
"name" : "github.com/google/go-github",
"description" : "Go library for accessing the GitHub v3 API",
"author" : "google",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-github",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/google/go-github",
"latestRelease" : "v62.0.0",
"latestReleaseDate" : "2024-05-11T00:01:25.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v17.0.0",
"releaseDate" : "2018-08-10T17:15:20.000+00:00",
"sha1" : "ab711ca90af2eafa9a0798a2dd45d67b1ad228e3",
"sha2" : "4ed2a04eba017a3d1aeda96fb8b579dce45098d57434f99ef0dd93ca1fac341c",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "BSD3",
"license" : "BSD 3-Clause \"New\" or \"Revised\" License (BSD-3-Clause)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-3-Clause"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885153?version=v17.0.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885153"
}
}, {
"name" : "github.com/google/go-querystring",
"description" : "go-querystring is Go library for encoding structs into URL query strings.",
"author" : "google",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-querystring",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/google/go-querystring",
"latestRelease" : "v1.0.0",
"latestReleaseDate" : "2018-09-16T13:16:37.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v1.0.0",
"releaseDate" : "2018-09-16T13:16:37.000+00:00",
"sha1" : "145c5d2a6c301c7055cf60dcaf5834577fdc78d8",
"sha2" : "94d843845492489029f02e963fc578abe0791409346fda855a86982c518b424c",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "BSD3",
"license" : "BSD 3-Clause \"New\" or \"Revised\" License (BSD-3-Clause)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-3-Clause"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/859228?version=v1.0.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/859228"
}
}, {
"name" : "github.com/mattn/go-colorable",
"description" : null,
"author" : "mattn",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-colorable",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/mattn/go-colorable",
"latestRelease" : "v0.1.13",
"latestReleaseDate" : "2022-08-15T05:53:26.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.0.9",
"releaseDate" : "2017-08-01T03:06:07.000+00:00",
"sha1" : "0f27aa4489dbd551d1558923dc7321d99066df0c",
"sha2" : "4929db31151a0f290ed2db22d5a0b90ecf2e27a2a8edea8f30e06783047f7da7",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885489?version=v0.0.9"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885489"
}
}, {
"name" : "github.com/mattn/go-isatty",
"description" : null,
"author" : "mattn",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-isatty",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/mattn/go-isatty",
"latestRelease" : "v0.0.20",
"latestReleaseDate" : "2023-10-17T07:28:21.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.0.4",
"releaseDate" : "2017-11-07T05:05:31.000+00:00",
"sha1" : "0bc5835e0ff641347637593786d86d2e5bf0b82e",
"sha2" : "45c17873e1dca46bb33f3e2c34d3cb41cb0223bc828130fbb29b9c98b7b691cf",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885484?version=v0.0.4"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885484"
}
}, {
"name" : "github.com/mattn/go-runewidth",
"description" : "wcwidth for golang",
"author" : "mattn",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-runewidth",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/mattn/go-runewidth",
"latestRelease" : "v0.0.15",
"latestReleaseDate" : "2023-07-23T16:42:41.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.0.4",
"releaseDate" : "2018-12-10T06:59:43.000+00:00",
"sha1" : "b76f7634c6bc1901bfd7c19d6e760691c501647e",
"sha2" : "5d3475bba223c24e61acc98e40c3fe94352600165e5b9d29e00e4a9994c05d28",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885485?version=v0.0.4"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885485"
}
}, {
"name" : "github.com/nsf/termbox-go",
"description" : "Pure Go termbox implementation",
"author" : "nsf",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/nsf/termbox-go",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/nsf/termbox-go",
"latestRelease" : "v1.1.1",
"latestReleaseDate" : "2021-04-21T21:08:13.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "HEAD",
"releaseDate" : "2022-02-26T16:59:14.000+00:00",
"sha1" : "c830276a0978a9ed515d8cdef949e52043e77e57",
"sha2" : "fac5ade7c7aa1da780569fc17d8a6d92269fe7bf3a1cc30f7536153a428d9ac7",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885482?version=HEAD"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885482"
}
}, {
"name" : "github.com/nwidger/jsoncolor",
"description" : "Colorized JSON output for Go https://godoc.org/github.com/nwidger/jsoncolor",
"author" : "nwidger",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/nwidger/jsoncolor",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/nwidger/jsoncolor",
"latestRelease" : "v0.3.2",
"latestReleaseDate" : "2023-03-21T23:52:41.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "HEAD",
"releaseDate" : "2023-05-21T12:31:00.000+00:00",
"sha1" : "00a15388dda6d719be26a60fbf61d497f12b267c",
"sha2" : "709df6ad8078ca89935c1ba672eae0496110f1cdc8402c9cd63ce812ac815518",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885483?version=HEAD"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885483"
}
}, {
"name" : "github.com/pkg/errors",
"description" : "Simple error handling primitives",
"author" : "pkg",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/pkg/errors",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/pkg/errors",
"latestRelease" : "v0.9.1",
"latestReleaseDate" : "2020-01-14T19:47:44.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.8.0",
"releaseDate" : "2016-09-29T01:48:01.000+00:00",
"sha1" : "0d8a444154964eb986fa87e864969eb117a00e86",
"sha2" : "26c9a83605db95ab1e34941538ad048f069d97116fd2d5e6d2f49893b7705440",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "BSD2",
"license" : "BSD 2-Clause \"Simplified\" or \"FreeBSD\" License (BSD-2-Clause)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-2-Clause"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885384?version=v0.8.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885384"
}
}, {
"name" : "github.com/simeji/jid",
"description" : "json incremental digger",
"author" : "simeji",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/simeji/jid",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/simeji/jid",
"latestRelease" : "v0.7.6",
"latestReleaseDate" : "2019-03-31T19:19:17.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.7.6",
"releaseDate" : "2019-03-31T19:19:17.000+00:00",
"sha1" : "64633c7732f5aa26707af9c4893752b0e1313052",
"sha2" : "e6419dfab3a6c8929277368aaa8cca39e5c74b35ed446c4093120b75496d2d80",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885487?version=v0.7.6"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885487"
}
}, {
"name" : "golang.org/x/text",
"description" : null,
"author" : "",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "golang.org/x/text",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://go.googlesource.com/text",
"latestRelease" : "v0.16.0",
"latestReleaseDate" : "2024-05-14T20:26:09.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.3.5",
"releaseDate" : "2020-12-08T00:13:44.000+00:00",
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "BSD3",
"license" : "BSD 3-Clause \"New\" or \"Revised\" License (BSD-3-Clause)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-3-Clause"
}, {
"name" : "BSD3CLEAR",
"license" : "BSD 3-Clause Clear License",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-3-Clause-Clear"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885430?version=v0.3.5"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885430"
}
} ],
"vulnerabilities" : [ {
"disclosureDate" : "2021-08-18T00:00:00.000+00:00",
"cve" : "2021-38561",
"title" : "Denial Of Service (DoS)",
"overview" : "github.com/golang/text is vulnerable to Denial Of Service (DoS). The vulnerability exists because an incorrectly formatted language tag may cause the parse to panic due to an out of bounds read, resulting in an application crash.",
"language" : "GO",
"vulnerabilityTypes" : [ "Denial of Service" ],
"cvssScore" : 5.0,
"cvss3Score" : 7.5,
"cvssVector" : "",
"cvss3Vector" : "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2021-38561",
"epssStatus" : "match found",
"epssScore" : 0.00101,
"epssPercentile" : 0.42071,
"epssScoreDate" : "2024-07-11",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "v0.3.7",
"versionRange" : "v0.1.0-v0.3.6",
"fixText" : "",
"patch" : "https://github.com/golang/text/commit/383b2e75a7a4198c42f8f87833eefb772868a56f"
} ],
"_links" : {
"ref" : "/records/0/libraries/11/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/35167"
}
}, {
"disclosureDate" : "2022-10-11T00:00:00.000+00:00",
"cve" : "2022-32149",
"title" : "Denial Of Service (DoS)",
"overview" : "golang.org/x/text is vulnerable to denial of service. The vulnerability exists in the `ParseAcceptLanguage` function of `parse.go`, allowing an attacker to cause an application crash through the maliciously crafted Accept-Language header.",
"language" : "GO",
"vulnerabilityTypes" : [ "Denial of Service" ],
"cvssScore" : 4.3,
"cvss3Score" : 7.5,
"cvssVector" : "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"cvss3Vector" : "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2022-32149",
"epssStatus" : "match found",
"epssScore" : 0.00239,
"epssPercentile" : 0.62282,
"epssScoreDate" : "2024-07-11",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "v0.3.8",
"versionRange" : "v0.1.0-v0.3.7",
"fixText" : "",
"patch" : "https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c"
} ],
"_links" : {
"ref" : "/records/0/libraries/11/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/37577"
}
} ],
"unmatchedLibraries" : [ ],
"vulnMethods" : [ {
"calls" : [ {
"method" : {
"className" : "golang.org/x/text/language",
"descriptor" : null,
"id" : 0,
"methodName" : "Parse",
"moduleName" : "golang.org/x/text"
},
"callChains" : [ [ {
"callee" : {
"className" : "golang.org/x/text/language",
"descriptor" : null,
"id" : 0,
"methodName" : "Parse",
"moduleName" : "golang.org/x/text"
},
"caller" : {
"className" : "github.com/srcclr/example-go-modules/sub3",
"descriptor" : null,
"id" : 0,
"methodName" : "Baz",
"moduleName" : "github.com/srcclr/example-go-modules"
},
"fileName" : "sub3.go",
"internal" : true,
"lineNumber" : 11
} ] ]
} ],
"links" : [ {
"ref" : "/records/0/libraries/11/versions/0"
}, {
"vulnerability" : "/records/0/vulnerabilities/0"
} ]
} ],
"componentMetrics" : [ {
"github.com/bitly/go-simplejson" : {
"age" : 2988,
"codeRepoUrl" : "https://github.com/bitly/go-simplejson",
"filesChanged" : 64,
"lastRefresh" : "02-Jul-2024",
"libraryId" : 885486,
"linesAdded" : 1178,
"linesRemoved" : 1124,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 0,
"numCommitsPast30Days" : 0,
"numCommitters" : 9,
"numberOfCommits" : 22,
"stagnation" : 392
},
"links" : [ {
"ref" : "/records/0/libraries/0"
} ]
}, {
"github.com/fatih/color" : {
"age" : 2385,
"codeRepoUrl" : "https://github.com/fatih/color",
"filesChanged" : 3001,
"lastRefresh" : null,
"libraryId" : 885488,
"linesAdded" : 671836,
"linesRemoved" : 670580,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 21,
"numCommitsPast30Days" : 0,
"numCommitters" : 26,
"numberOfCommits" : 115,
"stagnation" : 73
},
"links" : [ {
"ref" : "/records/0/libraries/1"
} ]
}, {
"github.com/google/go-github" : {
"age" : 3458,
"codeRepoUrl" : "https://github.com/google/go-github",
"filesChanged" : 7412,
"lastRefresh" : "02-Jul-2024",
"libraryId" : 885153,
"linesAdded" : 258960,
"linesRemoved" : 76338,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 214,
"numCommitsPast30Days" : 9,
"numCommitters" : 708,
"numberOfCommits" : 1882,
"stagnation" : 0
},
"links" : [ {
"ref" : "/records/0/libraries/2"
} ]
}, {
"github.com/google/go-querystring" : {
"age" : 3312,
"codeRepoUrl" : "https://github.com/google/go-querystring",
"filesChanged" : 80,
"lastRefresh" : "03-Jul-2024",
"libraryId" : 859228,
"linesAdded" : 1085,
"linesRemoved" : 393,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 4,
"numCommitsPast30Days" : 0,
"numCommitters" : 14,
"numberOfCommits" : 55,
"stagnation" : 54
},
"links" : [ {
"ref" : "/records/0/libraries/3"
} ]
}, {
"github.com/mattn/go-colorable" : {
"age" : 2433,
"codeRepoUrl" : "https://github.com/mattn/go-colorable",
"filesChanged" : 188,
"lastRefresh" : null,
"libraryId" : 885489,
"linesAdded" : 1936,
"linesRemoved" : 661,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 12,
"numCommitsPast30Days" : 2,
"numCommitters" : 20,
"numberOfCommits" : 129,
"stagnation" : 10
},
"links" : [ {
"ref" : "/records/0/libraries/4"
} ]
}, {
"github.com/mattn/go-isatty" : {
"age" : 3189,
"codeRepoUrl" : "https://github.com/mattn/go-isatty",
"filesChanged" : 230,
"lastRefresh" : "06-Jul-2024",
"libraryId" : 885484,
"linesAdded" : 1291,
"linesRemoved" : 544,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 1,
"numCommitsPast30Days" : 0,
"numCommitters" : 29,
"numberOfCommits" : 127,
"stagnation" : 263
},
"links" : [ {
"ref" : "/records/0/libraries/5"
} ]
}, {
"github.com/mattn/go-runewidth" : {
"age" : 2807,
"codeRepoUrl" : "https://github.com/mattn/go-runewidth",
"filesChanged" : 257,
"lastRefresh" : null,
"libraryId" : 885485,
"linesAdded" : 8579,
"linesRemoved" : 6222,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 15,
"numCommitsPast30Days" : 0,
"numCommitters" : 15,
"numberOfCommits" : 134,
"stagnation" : 42
},
"links" : [ {
"ref" : "/records/0/libraries/6"
} ]
}, {
"github.com/nsf/termbox-go" : {
"age" : 2584,
"codeRepoUrl" : "https://github.com/nsf/termbox-go",
"filesChanged" : 226,
"lastRefresh" : "02-Jul-2024",
"libraryId" : 885482,
"linesAdded" : 3458,
"linesRemoved" : 692,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 0,
"numCommitsPast30Days" : 0,
"numCommitters" : 54,
"numberOfCommits" : 150,
"stagnation" : 875
},
"links" : [ {
"ref" : "/records/0/libraries/7"
} ]
}, {
"github.com/pkg/errors" : {
"age" : 1813,
"codeRepoUrl" : "https://github.com/pkg/errors",
"filesChanged" : 272,
"lastRefresh" : null,
"libraryId" : 885384,
"linesAdded" : 4675,
"linesRemoved" : 2035,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 0,
"numCommitsPast30Days" : 0,
"numCommitters" : 44,
"numberOfCommits" : 160,
"stagnation" : 438
},
"links" : [ {
"ref" : "/records/0/libraries/9"
} ]
}, {
"github.com/simeji/jid" : {
"age" : 2588,
"codeRepoUrl" : "https://github.com/simeji/jid",
"filesChanged" : 354,
"lastRefresh" : "03-Jul-2024",
"libraryId" : 885487,
"linesAdded" : 10060,
"linesRemoved" : 3531,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 4,
"numCommitsPast30Days" : 0,
"numCommitters" : 16,
"numberOfCommits" : 134,
"stagnation" : 359
},
"links" : [ {
"ref" : "/records/0/libraries/10"
} ]
}, {
"golang.org/x/text" : {
"age" : 3408,
"codeRepoUrl" : "https://go.googlesource.com/text",
"filesChanged" : 3019,
"lastRefresh" : "29-Jun-2024",
"libraryId" : 885430,
"linesAdded" : 1034017,
"linesRemoved" : 537980,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 9,
"numCommitsPast30Days" : 0,
"numCommitters" : 74,
"numberOfCommits" : 599,
"stagnation" : 45
},
"links" : [ {
"ref" : "/records/0/libraries/11"
} ]
} ]
} ]
}
The --component-metrics flag is optional. When used, it displays health metrics for components identified during the scan. The "componentMetrics" section in the JSON response only includes components for which metrics were successfully retrieved.
Library references for vulnerabilities
The vulnerability information provided does not include library names directly in the JSON components. This is because the vulnerabilities include references to the library for parsing in the "ref" keys. As an example, if I wanted to extract the library information for the following vulnerability:
{
"disclosureDate": "2016-04-06T00:00:00.000+00:00",
"cve": "2016-1000027",
"title": "Remote Code Execution (RCE)",
"overview": "spring-web is vulnerable to remote code execution (RCE). When it is used with external endpoints regardless of endpoints being authenticated or not, the function `HttpInvokerServiceExporter: readRemoteInvocation` allows deserialization of untrusted object if the endpoints are exposed to untrusted clients. It depends on the implementation within a product to mandate an authentication and to protect an application from an authenticated deserialization. The vendor has claimed the behavior to be as intended, but has deprecated the vulnerable Sun's JDK HTTP server classes in version 6.0.0.\n",
"language": "JAVA",
"vulnerabilityTypes": ["Other"],
"cvssScore": 7.5,
"cvss3Score": 9.8,
"cvssVector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss3Vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"hasExploits": false,
"exploitability": {
"exploitServiceStatus": "available",
"cveFull": "CVE-2016-1000027",
"epssStatus": "match found",
"epssScore": 0.02444,
"epssPercentile": 0.89864,
"epssScoreDate": "2024-04-30",
"epssModelVersion": "v2023.03.01",
"epssCitation": "See EPSS at https://www.first.org/epss",
"exploitObserved": false
},
"libraries": [
{
"details": [
{
"updateToVersion": "6.0.0",
"versionRange": "4.0.0.M1-5.3.34",
"fixText": "",
"patch": "https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f#diff-5b4db0e368d81fcb05337a6147fbc73de0b536109a58cb50acf7e0f40dd61243"
}
],
"_links": {
"ref": "/records/0/libraries/14/versions/0"
}
}
],
"_links": {
"html": "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/22252"
}
}
To obtain library information the using the ref and the bash application jq, and run:
## "ref" : "/records/0/libraries/14/versions/0"
jq '.records[0].libraries[14]'
To see the specific version of a particular library, run:
## "ref" : "/records/0/libraries/14/versions/0"
jq '.records[0].libraries[14].versions[0]'
Library and vulnerability references for vulnerable methods
The "vulnMethods" section does not include library or vulnerability information directly in the JSON components. This is because the vulnerable methods include references to the library for parsing in the "ref" keys and for the vulnerability in the "vulnerability" keys. For example:
"vulnMethods" : [ {
"calls" : [ {
"method" : {
"className" : "golang.org/x/text/language",
"descriptor" : null,
"id" : 0,
"methodName" : "Parse",
"moduleName" : "golang.org/x/text"
},
"callChains" : [ [ {
"callee" : {
"className" : "golang.org/x/text/language",
"descriptor" : null,
"id" : 0,
"methodName" : "Parse",
"moduleName" : "golang.org/x/text"
},
"caller" : {
"className" : "github.com/srcclr/example-go-modules/sub3",
"descriptor" : null,
"id" : 0,
"methodName" : "Baz",
"moduleName" : "github.com/srcclr/example-go-modules"
},
"fileName" : "sub3.go",
"internal" : true,
"lineNumber" : 11
} ] ]
} ],
"links" : [ {
"ref" : "/records/0/libraries/11/versions/0"
}, {
"vulnerability" : "/records/0/vulnerabilities/0"
} ]
} ]
To extract the library information from this vulnerable method using the bash application, jq, run:
## "ref" : "/records/0/libraries/11/versions/0"
jq '.records[0].libraries[11].versions[0]'
To extract vulnerability information from the vulnerable method using jq, run:
## "vulnerability" : "/records/0/vulnerabilities/0"
jq '.records[0].vulnerabilities[0]'
Library references for component metrics
The component metrics information provided does not include all library data directly in the JSON components. This is because the metrics include references to the library for parsing in the "ref" keys. For example, to extract the library information for the following component metrics:
{
"golang.org/x/text" : {
"age" : 3408,
"codeRepoUrl" : "https://go.googlesource.com/text",
"filesChanged" : 3019,
"lastRefresh" : "29-Jun-2024",
"libraryId" : 885430,
"linesAdded" : 1034017,
"linesRemoved" : 537980,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 9,
"numCommitsPast30Days" : 0,
"numCommitters" : 74,
"numberOfCommits" : 599,
"stagnation" : 45
},
"links" : [ {
"ref" : "/records/0/libraries/11"
} ]
}
To obtain this information with the jq bash application and the ref, run:
## "ref" : "/records/0/libraries/11"
jq '.records[0].libraries[11]'