Skip to main content

Veracode SCA agent JSON schema

This document describes the JSON output and related commands for the Veracode Software Composition Analysis agent-based scanning CLI agent.

Single library lookup

Look up the release and vulnerability information found in the Veracode Vulnerability Database for a single library with the agent:

srcclr lookup --type=maven --coord1=org.springframework --coord2=spring-web \
--version=5.3.34 --json

Returns the following JSON response:

{
"metadata" : {
"requestDate" : "2024-04-30T21:36:17.013+00:00"
},
"records" : [ {
"metadata" : {
"recordType" : "LOOKUP"
},
"graphs" : [ ],
"libraries" : [ {
"name" : "Spring Web",
"description" : "Spring Web",
"author" : null,
"authorUrl" : "https://github.com/spring-projects/spring-framework",
"language" : "JAVA",
"coordinateType" : "MAVEN",
"coordinate1" : "org.springframework",
"coordinate2" : "spring-web",
"bugTrackerUrl" : "https://github.com/spring-projects/spring-framework/issues",
"codeRepoType" : null,
"codeRepoUrl" : "https://github.com/spring-projects/spring-framework",
"latestRelease" : "6.2.0-M1",
"latestReleaseDate" : "2024-04-11T00:00:00.000+00:00",
"recommendedVersion" : "6.0.0",
"versions" : [ {
"version" : "5.3.34",
"releaseDate" : "2024-04-11T07:41:43.000+00:00",
"sha1" : "a02e806d8a4b0c0c9315c9de8a1e848e9a5dae24",
"sha2" : "f29ef4aac2ea8ff58eb3cda19ff7bdd6e3aab1a2dedfcbb16176bab202324254",
"bytecodeHash" : "3f3cb037ab068b95fdef129fd2f5085351cd35039d4974eedf4d6d185eb6761b",
"platform" : "",
"licenses" : [ {
"name" : "APACHE20",
"license" : "Apache License 2.0 (Apache-2.0)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "Apache-2.0"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1104?version=5.3.34"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1104"
}
} ],
"vulnerabilities" : [ {
"disclosureDate" : "2016-04-06T00:00:00.000+00:00",
"cve" : "2016-1000027",
"title" : "Remote Code Execution (RCE)",
"overview" : "spring-web is vulnerable to remote code execution (RCE). When it is used with external endpoints regardless of endpoints being authenticated or not, the function `HttpInvokerServiceExporter: readRemoteInvocation` allows deserialization of untrusted object if the endpoints are exposed to untrusted clients. It depends on the implementation within a product to mandate an authentication and to protect an application from an authenticated deserialization. The vendor has claimed the behavior to be as intended, but has deprecated the vulnerable Sun's JDK HTTP server classes in version 6.0.0.\n",
"language" : "JAVA",
"vulnerabilityTypes" : [ "Other" ],
"cvssScore" : 7.5,
"cvss3Score" : 9.8,
"cvssVector" : "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss3Vector" : "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2016-1000027",
"epssStatus" : "match found",
"epssScore" : 0.02444,
"epssPercentile" : 0.89864,
"epssScoreDate" : "2024-04-30",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "6.0.0",
"versionRange" : "4.0.0.M1-5.3.34",
"fixText" : "",
"patch" : "https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f#diff-5b4db0e368d81fcb05337a6147fbc73de0b536109a58cb50acf7e0f40dd61243"
} ],
"_links" : {
"ref" : "/records/0/libraries/0/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/22252"
}
} ]
} ]
}

Scan exports

Export the results of a single scan:

srcclr scan --json --url https://github.com/veracode/example-go-modules

The scan command returns this JSON response:

{
"metadata" : {
"requestDate" : "2024-04-30T21:42:33.421+00:00"
},
"records" : [ {
"metadata" : {
"recordType" : "SCAN",
"report" : "https://sca.analysiscenter.veracode.com/teams/Abcdef1/scans/1234567"
},
"graphs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "<undefined>",
"coordinate2" : null,
"version" : "<undefined>",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-querystring",
"coordinate2" : null,
"version" : "v1.0.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "golang.org/x/text",
"coordinate2" : null,
"version" : "v0.3.5",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-github",
"coordinate2" : null,
"version" : "v17.0.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-querystring",
"coordinate2" : null,
"version" : "v1.0.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/simeji/jid",
"coordinate2" : null,
"version" : "v0.7.6",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-runewidth",
"coordinate2" : null,
"version" : "v0.0.4",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/nwidger/jsoncolor",
"coordinate2" : null,
"version" : "HEAD",
"scope" : null,
"platform" : null,
"commitHash" : "75a6de4340e5"
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/fatih/color",
"coordinate2" : null,
"version" : "v1.7.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-colorable",
"coordinate2" : null,
"version" : "v0.0.9",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-isatty",
"coordinate2" : null,
"version" : "v0.0.4",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-isatty",
"coordinate2" : null,
"version" : "v0.0.4",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/bitly/go-simplejson",
"coordinate2" : null,
"version" : "v0.5.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/nsf/termbox-go",
"coordinate2" : null,
"version" : "HEAD",
"scope" : null,
"platform" : null,
"commitHash" : "60ab7e3d12ed"
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-runewidth",
"coordinate2" : null,
"version" : "v0.0.4",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/pkg/errors",
"coordinate2" : null,
"version" : "v0.8.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/example-go-modules/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : null,
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"libraries" : [ {
"name" : "github.com/bitly/go-simplejson",
"description" : "a Go package to interact with arbitrary JSON",
"author" : "bitly",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/bitly/go-simplejson",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/bitly/go-simplejson",
"latestRelease" : "v0.5.1",
"latestReleaseDate" : "2023-06-06T14:49:55.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.5.0",
"releaseDate" : "2015-09-15T16:53:35.000+00:00",
"sha1" : "846c7b6e3e469d6e8febcf9eb619d25be2883413",
"sha2" : "4c9370efdfdcdc906381547a31ae763b73b7b08848b463f29b4528e0c36a67e0",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885486?version=v0.5.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885486"
}
}, {
"name" : "github.com/fatih/color",
"description" : "Color package for Go (golang)",
"author" : "fatih",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/fatih/color",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/fatih/color",
"latestRelease" : "v1.16.0",
"latestReleaseDate" : "2023-11-06T08:25:55.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v1.7.0",
"releaseDate" : "2018-05-15T20:53:03.000+00:00",
"sha1" : "2a069819cb9f959a530d19621020c6b69a0857aa",
"sha2" : "0ea15ffabde9c289b32944b8c360a3b1f96e7864f8e48a99aead3abee91f9de8",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885488?version=v1.7.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885488"
}
}, {
"name" : "github.com/google/go-github",
"description" : "Go library for accessing the GitHub v3 API",
"author" : "google",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-github",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/google/go-github",
"latestRelease" : "v61.0.0",
"latestReleaseDate" : "2024-04-01T19:01:23.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v17.0.0",
"releaseDate" : "2018-08-10T17:15:20.000+00:00",
"sha1" : "ab711ca90af2eafa9a0798a2dd45d67b1ad228e3",
"sha2" : "4ed2a04eba017a3d1aeda96fb8b579dce45098d57434f99ef0dd93ca1fac341c",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "BSD3",
"license" : "BSD 3-Clause \"New\" or \"Revised\" License (BSD-3-Clause)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-3-Clause"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885153?version=v17.0.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885153"
}
}, {
"name" : "github.com/google/go-querystring",
"description" : "go-querystring is Go library for encoding structs into URL query strings.",
"author" : "google",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-querystring",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/google/go-querystring",
"latestRelease" : "v1.0.0",
"latestReleaseDate" : "2018-09-16T13:16:37.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v1.0.0",
"releaseDate" : "2018-09-16T13:16:37.000+00:00",
"sha1" : "145c5d2a6c301c7055cf60dcaf5834577fdc78d8",
"sha2" : "94d843845492489029f02e963fc578abe0791409346fda855a86982c518b424c",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "BSD3",
"license" : "BSD 3-Clause \"New\" or \"Revised\" License (BSD-3-Clause)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-3-Clause"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/859228?version=v1.0.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/859228"
}
}, {
"name" : "github.com/mattn/go-colorable",
"description" : null,
"author" : "mattn",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-colorable",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/mattn/go-colorable",
"latestRelease" : "v0.1.13",
"latestReleaseDate" : "2022-08-15T05:53:26.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.0.9",
"releaseDate" : "2017-08-01T03:06:07.000+00:00",
"sha1" : "0f27aa4489dbd551d1558923dc7321d99066df0c",
"sha2" : "4929db31151a0f290ed2db22d5a0b90ecf2e27a2a8edea8f30e06783047f7da7",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885489?version=v0.0.9"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885489"
}
}, {
"name" : "github.com/mattn/go-isatty",
"description" : null,
"author" : "mattn",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-isatty",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/mattn/go-isatty",
"latestRelease" : "v0.0.20",
"latestReleaseDate" : "2023-10-17T07:28:21.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.0.4",
"releaseDate" : "2017-11-07T05:05:31.000+00:00",
"sha1" : "0bc5835e0ff641347637593786d86d2e5bf0b82e",
"sha2" : "45c17873e1dca46bb33f3e2c34d3cb41cb0223bc828130fbb29b9c98b7b691cf",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885484?version=v0.0.4"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885484"
}
}, {
"name" : "github.com/mattn/go-runewidth",
"description" : "wcwidth for golang",
"author" : "mattn",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-runewidth",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/mattn/go-runewidth",
"latestRelease" : "v0.0.15",
"latestReleaseDate" : "2023-07-23T16:42:41.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.0.4",
"releaseDate" : "2018-12-10T06:59:43.000+00:00",
"sha1" : "b76f7634c6bc1901bfd7c19d6e760691c501647e",
"sha2" : "5d3475bba223c24e61acc98e40c3fe94352600165e5b9d29e00e4a9994c05d28",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885485?version=v0.0.4"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885485"
}
}, {
"name" : "github.com/nsf/termbox-go",
"description" : "Pure Go termbox implementation",
"author" : "nsf",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/nsf/termbox-go",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/nsf/termbox-go",
"latestRelease" : "v1.1.1",
"latestReleaseDate" : "2021-04-21T21:08:13.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "HEAD",
"releaseDate" : "2022-02-26T16:59:14.000+00:00",
"sha1" : "c830276a0978a9ed515d8cdef949e52043e77e57",
"sha2" : "fac5ade7c7aa1da780569fc17d8a6d92269fe7bf3a1cc30f7536153a428d9ac7",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885482?version=HEAD"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885482"
}
}, {
"name" : "github.com/nwidger/jsoncolor",
"description" : "Colorized JSON output for Go https://godoc.org/github.com/nwidger/jsoncolor",
"author" : "nwidger",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/nwidger/jsoncolor",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/nwidger/jsoncolor",
"latestRelease" : "v0.3.2",
"latestReleaseDate" : "2023-03-21T23:52:41.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "HEAD",
"releaseDate" : "2023-05-21T12:31:00.000+00:00",
"sha1" : "00a15388dda6d719be26a60fbf61d497f12b267c",
"sha2" : "709df6ad8078ca89935c1ba672eae0496110f1cdc8402c9cd63ce812ac815518",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885483?version=HEAD"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885483"
}
}, {
"name" : "github.com/pkg/errors",
"description" : "Simple error handling primitives",
"author" : "pkg",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/pkg/errors",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/pkg/errors",
"latestRelease" : "v0.9.1",
"latestReleaseDate" : "2020-01-14T19:47:44.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.8.0",
"releaseDate" : "2016-09-29T01:48:01.000+00:00",
"sha1" : "0d8a444154964eb986fa87e864969eb117a00e86",
"sha2" : "26c9a83605db95ab1e34941538ad048f069d97116fd2d5e6d2f49893b7705440",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "BSD2",
"license" : "BSD 2-Clause \"Simplified\" or \"FreeBSD\" License (BSD-2-Clause)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-2-Clause"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885384?version=v0.8.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885384"
}
}, {
"name" : "github.com/simeji/jid",
"description" : "json incremental digger",
"author" : "simeji",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/simeji/jid",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/simeji/jid",
"latestRelease" : "v0.7.6",
"latestReleaseDate" : "2019-03-31T19:19:17.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.7.6",
"releaseDate" : "2019-03-31T19:19:17.000+00:00",
"sha1" : "64633c7732f5aa26707af9c4893752b0e1313052",
"sha2" : "e6419dfab3a6c8929277368aaa8cca39e5c74b35ed446c4093120b75496d2d80",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885487?version=v0.7.6"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885487"
}
}, {
"name" : "golang.org/x/text",
"description" : null,
"author" : "",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "golang.org/x/text",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://go.googlesource.com/text",
"latestRelease" : "v0.13.0",
"latestReleaseDate" : "2023-08-28T17:26:32.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.3.5",
"releaseDate" : "2020-12-08T00:13:44.000+00:00",
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885430?version=v0.3.5"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885430"
}
} ],
"vulnerabilities" : [ {
"disclosureDate" : "2021-08-18T00:00:00.000+00:00",
"cve" : "2021-38561",
"title" : "Denial Of Service (DoS)",
"overview" : "github.com/golang/text is vulnerable to Denial Of Service (DoS). The vulnerability exists because an incorrectly formatted language tag may cause the parse to panic due to an out of bounds read, resulting in an application crash.",
"language" : "GO",
"vulnerabilityTypes" : [ "Denial of Service" ],
"cvssScore" : 5.0,
"cvss3Score" : 7.5,
"cvssVector" : "",
"cvss3Vector" : "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2021-38561",
"epssStatus" : "match found",
"epssScore" : 9.2E-4,
"epssPercentile" : 0.38537,
"epssScoreDate" : "2024-04-30",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "v0.3.7",
"versionRange" : "v0.1.0-v0.3.6",
"fixText" : "",
"patch" : "https://github.com/golang/text/commit/383b2e75a7a4198c42f8f87833eefb772868a56f"
} ],
"_links" : {
"ref" : "/records/0/libraries/11/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/35167"
}
}, {
"disclosureDate" : "2022-10-11T00:00:00.000+00:00",
"cve" : "2022-32149",
"title" : "Denial Of Service (DoS)",
"overview" : "golang.org/x/text is vulnerable to denial of service. The vulnerability exists in the `ParseAcceptLanguage` function of `parse.go`, allowing an attacker to cause an application crash through the maliciously crafted Accept-Language header.",
"language" : "GO",
"vulnerabilityTypes" : [ "Denial of Service" ],
"cvssScore" : 4.3,
"cvss3Score" : 7.5,
"cvssVector" : "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"cvss3Vector" : "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2022-32149",
"epssStatus" : "match found",
"epssScore" : 0.00127,
"epssPercentile" : 0.46769,
"epssScoreDate" : "2024-04-30",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "v0.3.8",
"versionRange" : "v0.1.0-v0.3.7",
"fixText" : "",
"patch" : "https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c"
} ],
"_links" : {
"ref" : "/records/0/libraries/11/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/37577"
}
} ],
"unmatchedLibraries" : [ ],
"vulnMethods" : [ {
"calls" : [ {
"method" : {
"className" : "golang.org/x/text/language",
"descriptor" : null,
"id" : 0,
"methodName" : "Parse",
"moduleName" : "golang.org/x/text"
},
"callChains" : [ [ {
"callee" : {
"className" : "golang.org/x/text/language",
"descriptor" : null,
"id" : 0,
"methodName" : "Parse",
"moduleName" : "golang.org/x/text"
},
"caller" : {
"className" : "github.com/srcclr/example-go-modules/sub3",
"descriptor" : null,
"id" : 0,
"methodName" : "Baz",
"moduleName" : "github.com/srcclr/example-go-modules"
},
"fileName" : "sub3.go",
"internal" : true,
"lineNumber" : 11
} ] ]
} ],
"links" : [ {
"ref" : "/records/0/libraries/11/versions/0"
}, {
"vulnerability" : "/records/0/vulnerabilities/0"
} ]
} ]
} ]
}

Library references for vulnerabilities

The vulnerability information provided does not include library names directly in the JSON components. This is because the vulnerabilities include references to the library for parsing in the "ref" keys. As an example, if I wanted to extract the library information for the following vulnerability:

{
"disclosureDate": "2016-04-06T00:00:00.000+00:00",
"cve": "2016-1000027",
"title": "Remote Code Execution (RCE)",
"overview": "spring-web is vulnerable to remote code execution (RCE). When it is used with external endpoints regardless of endpoints being authenticated or not, the function `HttpInvokerServiceExporter: readRemoteInvocation` allows deserialization of untrusted object if the endpoints are exposed to untrusted clients. It depends on the implementation within a product to mandate an authentication and to protect an application from an authenticated deserialization. The vendor has claimed the behavior to be as intended, but has deprecated the vulnerable Sun's JDK HTTP server classes in version 6.0.0.\n",
"language": "JAVA",
"vulnerabilityTypes": ["Other"],
"cvssScore": 7.5,
"cvss3Score": 9.8,
"cvssVector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss3Vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"hasExploits": false,
"exploitability": {
"exploitServiceStatus": "available",
"cveFull": "CVE-2016-1000027",
"epssStatus": "match found",
"epssScore": 0.02444,
"epssPercentile": 0.89864,
"epssScoreDate": "2024-04-30",
"epssModelVersion": "v2023.03.01",
"epssCitation": "See EPSS at https://www.first.org/epss",
"exploitObserved": false
},
"libraries": [
{
"details": [
{
"updateToVersion": "6.0.0",
"versionRange": "4.0.0.M1-5.3.34",
"fixText": "",
"patch": "https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f#diff-5b4db0e368d81fcb05337a6147fbc73de0b536109a58cb50acf7e0f40dd61243"
}
],
"_links": {
"ref": "/records/0/libraries/14/versions/0"
}
}
],
"_links": {
"html": "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/22252"
}
}

You can use the bash application, jq, and run the following command to obtain that information using the ref:

## "ref" : "/records/0/libraries/14/versions/0"
jq '.records[0].libraries[14]'

For seeing the specific version of a particular library, do the following:

## "ref" : "/records/0/libraries/14/versions/0"
jq '.records[0].libraries[14].versions[0]'

Library and vulnerability references for vulnerabile methods

The "vulnMethods" section does not include library or vulnerability information directly in the JSON components. This is because the vulnerable methods include references to the library for parsing in the "ref" keys and for the vulnerability in the "vulnerability" keys. For example:

"vulnMethods" : [ {
"calls" : [ {
"method" : {
"className" : "golang.org/x/text/language",
"descriptor" : null,
"id" : 0,
"methodName" : "Parse",
"moduleName" : "golang.org/x/text"
},
"callChains" : [ [ {
"callee" : {
"className" : "golang.org/x/text/language",
"descriptor" : null,
"id" : 0,
"methodName" : "Parse",
"moduleName" : "golang.org/x/text"
},
"caller" : {
"className" : "github.com/srcclr/example-go-modules/sub3",
"descriptor" : null,
"id" : 0,
"methodName" : "Baz",
"moduleName" : "github.com/srcclr/example-go-modules"
},
"fileName" : "sub3.go",
"internal" : true,
"lineNumber" : 11
} ] ]
} ],
"links" : [ {
"ref" : "/records/0/libraries/11/versions/0"
}, {
"vulnerability" : "/records/0/vulnerabilities/0"
} ]
} ]

To extract the library information from this vulnerable method, you can use the bash application, jq, to run the following command:

## "ref" : "/records/0/libraries/11/versions/0"
jq '.records[0].libraries[11].versions[0]'

To extract vulnerability information from the vulnerable method, you can run the following command with jq:

## "vulnerability" : "/records/0/vulnerabilities/0"
jq '.records[0].vulnerabilities[0]'