Veracode SCA agent JSON schema
This document describes the JSON output and related commands for the Veracode Software Composition Analysis agent-based scanning CLI agent.
Single library lookup
Look up the release and vulnerability information found in the Veracode Vulnerability Database for a single library with the agent:
srcclr lookup --type=maven --coord1=net.minidev --coord2=json-smart \
--version=1.3 --json
Returns the following JSON response:
{
"metadata" : {
"requestDate" : "2024-07-11T16:48:09.996+00:00"
},
"records" : [ {
"metadata" : {
"recordType" : "LOOKUP"
},
"graphs" : [ ],
"libraries" : [ {
"name" : "JSON Small and Fast Parser",
"description" : "JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaS",
"author" : null,
"authorUrl" : "https://urielch.github.io/",
"language" : "JAVA",
"coordinateType" : "MAVEN",
"coordinate1" : "net.minidev",
"coordinate2" : "json-smart",
"bugTrackerUrl" : null,
"codeRepoType" : null,
"codeRepoUrl" : "https://github.com/netplex/json-smart-v2",
"latestRelease" : "2.5.1",
"latestReleaseDate" : "2024-03-21T00:00:00.000+00:00",
"recommendedVersion" : "2.4.10",
"versions" : [ {
"version" : "1.3",
"releaseDate" : "2014-08-12T20:18:36.000+00:00",
"sha1" : "1c451cab0b07b527b66b964a427988daf66dd2da",
"sha2" : "5ac5e8bd5c43426399967caf3e7141cc6805e6dd52d5514db526bc07bac20403",
"bytecodeHash" : "9dd8c048e023b944a5e29b7dd57244bbc3717538549af9128c05ce8504927fb0",
"platform" : "",
"licenses" : [ {
"name" : "APACHE20",
"license" : "Apache License 2.0 (Apache-2.0)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "Apache-2.0"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1129?version=1.3"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1129"
}
} ],
"vulnerabilities" : [ {
"disclosureDate" : "2021-02-23T00:00:00.000+00:00",
"cve" : "2021-27568",
"title" : "Denial Of Service (DoS)",
"overview" : "json-smart is vulnerable to denial of service (DoS) attacks. An unhandled NumberFormatException thrown from the function `extractFloat` in `JSONParserBase.java` allows a remote attacker to crash programs or leak sensitive information.\n\n",
"language" : "JAVA",
"vulnerabilityTypes" : [ "Denial of Service" ],
"cvssScore" : 4.3,
"cvss3Score" : 5.9,
"cvssVector" : "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"cvss3Vector" : "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2021-27568",
"epssStatus" : "match found",
"epssScore" : 0.00963,
"epssPercentile" : 0.83442,
"epssScoreDate" : "2024-07-11",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "1.3.2",
"versionRange" : "1.1-1.3.1",
"fixText" : "",
"patch" : "https://github.com/netplex/json-smart-v1/commit/d07cf9fea7d462e54c162d552538c0536b50ca87"
} ],
"_links" : {
"ref" : "/records/0/libraries/0/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/29743"
}
}, {
"disclosureDate" : "2021-04-16T00:00:00.000+00:00",
"cve" : "2021-31684",
"title" : "Denial Of Service (DoS)",
"overview" : "json-smart is vulnerable to denial of service (DoS). An unhandled ArrayIndexOutOfBoundsException thrown from the indexOf function of JSONParserByteArray allows a remote attacker to crash the program or leak confidential information.",
"language" : "JAVA",
"vulnerabilityTypes" : [ "Denial of Service" ],
"cvssScore" : 5.0,
"cvss3Score" : 7.5,
"cvssVector" : "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss3Vector" : "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2021-31684",
"epssStatus" : "match found",
"epssScore" : 0.01111,
"epssPercentile" : 0.84658,
"epssScoreDate" : "2024-07-11",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "2.4.5",
"versionRange" : "1.1-1.3.3",
"fixText" : "",
"patch" : ""
} ],
"_links" : {
"ref" : "/records/0/libraries/0/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/30772"
}
}, {
"disclosureDate" : "2023-03-22T00:00:00.000+00:00",
"cve" : "2023-1370",
"title" : "Denial Of Service (DoS)",
"overview" : "net.minidev, json-smart is vulnerable to Denial Of Service (DoS). The vulnerability exists because there is no nested depth checks for deeply nested JSON arrays or objects, which allows an attacker to crash the application via a malicious array with deeply nested elements.",
"language" : "JAVA",
"vulnerabilityTypes" : [ "Denial of Service" ],
"cvssScore" : 7.8,
"cvss3Score" : 7.5,
"cvssVector" : "(AV:N/AC:L/Au:N/C:N/I:N/A:C)",
"cvss3Vector" : "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2023-1370",
"epssStatus" : "match found",
"epssScore" : 0.00105,
"epssPercentile" : 0.43387,
"epssScoreDate" : "2024-07-11",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "2.4.10",
"versionRange" : "1.0.6.3-2.4.8",
"fixText" : "",
"patch" : "https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a"
} ],
"_links" : {
"ref" : "/records/0/libraries/0/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/39936"
}
} ],
"componentMetrics" : [ {
"JSON Small and Fast Parser" : {
"metricsStatus" : "match found",
"libraryId" : 1129,
"codeRepoUrl" : "https://github.com/netplex/json-smart-v2",
"age" : 2526,
"stagnation" : 34,
"filesChanged" : 1034,
"linesAdded" : 29189,
"linesRemoved" : 12882,
"numCommitsPast12Months" : 52,
"numCommitsPast30Days" : 0,
"numCommitters" : 13,
"numberOfCommits" : 144,
"lastRefresh" : null,
"_links" : {
"ref" : "/records/0/libraries/0"
}
}
} ]
} ]
}
Scan exports
Export the results of a single scan:
srcclr scan --json --url https://github.com/veracode/example-go-modules --component-metrics
The scan command returns this JSON response:
{
"metadata" : {
"requestDate" : "2024-07-11T16:51:22.852+00:00"
},
"records" : [ {
"metadata" : {
"recordType" : "SCAN",
"report" : "https://sca.analysiscenter.veracode.com/teams/Abcdef1/scans/1234567"
},
"graphs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "<undefined>",
"coordinate2" : null,
"version" : "<undefined>",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/simeji/jid",
"coordinate2" : null,
"version" : "v0.7.6",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-runewidth",
"coordinate2" : null,
"version" : "v0.0.4",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/bitly/go-simplejson",
"coordinate2" : null,
"version" : "v0.5.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/pkg/errors",
"coordinate2" : null,
"version" : "v0.8.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/nwidger/jsoncolor",
"coordinate2" : null,
"version" : "HEAD",
"scope" : null,
"platform" : null,
"commitHash" : "75a6de4340e5"
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/fatih/color",
"coordinate2" : null,
"version" : "v1.7.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-colorable",
"coordinate2" : null,
"version" : "v0.0.9",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-isatty",
"coordinate2" : null,
"version" : "v0.0.4",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-isatty",
"coordinate2" : null,
"version" : "v0.0.4",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/nsf/termbox-go",
"coordinate2" : null,
"version" : "HEAD",
"scope" : null,
"platform" : null,
"commitHash" : "60ab7e3d12ed"
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-runewidth",
"coordinate2" : null,
"version" : "v0.0.4",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-querystring",
"coordinate2" : null,
"version" : "v1.0.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "golang.org/x/text",
"coordinate2" : null,
"version" : "v0.3.5",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
}, {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-github",
"coordinate2" : null,
"version" : "v17.0.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ {
"coords" : {
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-querystring",
"coordinate2" : null,
"version" : "v1.0.0",
"scope" : null,
"platform" : null,
"commitHash" : null
},
"directs" : [ ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : "/Users/aelmallah/.srcclr/scans/160714120321292/go.mod",
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"filename" : null,
"lineNumber" : null,
"moduleName" : null,
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null
} ],
"libraries" : [ {
"name" : "github.com/bitly/go-simplejson",
"description" : "a Go package to interact with arbitrary JSON",
"author" : "bitly",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/bitly/go-simplejson",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/bitly/go-simplejson",
"latestRelease" : "v0.5.1",
"latestReleaseDate" : "2023-06-06T14:49:55.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.5.0",
"releaseDate" : "2015-09-15T16:53:35.000+00:00",
"sha1" : "846c7b6e3e469d6e8febcf9eb619d25be2883413",
"sha2" : "4c9370efdfdcdc906381547a31ae763b73b7b08848b463f29b4528e0c36a67e0",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885486?version=v0.5.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885486"
}
}, {
"name" : "github.com/fatih/color",
"description" : "Color package for Go (golang)",
"author" : "fatih",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/fatih/color",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/fatih/color",
"latestRelease" : "v1.17.0",
"latestReleaseDate" : "2024-04-08T12:08:58.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v1.7.0",
"releaseDate" : "2018-05-15T20:53:03.000+00:00",
"sha1" : "2a069819cb9f959a530d19621020c6b69a0857aa",
"sha2" : "0ea15ffabde9c289b32944b8c360a3b1f96e7864f8e48a99aead3abee91f9de8",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885488?version=v1.7.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885488"
}
}, {
"name" : "github.com/google/go-github",
"description" : "Go library for accessing the GitHub v3 API",
"author" : "google",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-github",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/google/go-github",
"latestRelease" : "v62.0.0",
"latestReleaseDate" : "2024-05-11T00:01:25.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v17.0.0",
"releaseDate" : "2018-08-10T17:15:20.000+00:00",
"sha1" : "ab711ca90af2eafa9a0798a2dd45d67b1ad228e3",
"sha2" : "4ed2a04eba017a3d1aeda96fb8b579dce45098d57434f99ef0dd93ca1fac341c",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "BSD3",
"license" : "BSD 3-Clause \"New\" or \"Revised\" License (BSD-3-Clause)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-3-Clause"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885153?version=v17.0.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885153"
}
}, {
"name" : "github.com/google/go-querystring",
"description" : "go-querystring is Go library for encoding structs into URL query strings.",
"author" : "google",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/google/go-querystring",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/google/go-querystring",
"latestRelease" : "v1.0.0",
"latestReleaseDate" : "2018-09-16T13:16:37.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v1.0.0",
"releaseDate" : "2018-09-16T13:16:37.000+00:00",
"sha1" : "145c5d2a6c301c7055cf60dcaf5834577fdc78d8",
"sha2" : "94d843845492489029f02e963fc578abe0791409346fda855a86982c518b424c",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "BSD3",
"license" : "BSD 3-Clause \"New\" or \"Revised\" License (BSD-3-Clause)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-3-Clause"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/859228?version=v1.0.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/859228"
}
}, {
"name" : "github.com/mattn/go-colorable",
"description" : null,
"author" : "mattn",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-colorable",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/mattn/go-colorable",
"latestRelease" : "v0.1.13",
"latestReleaseDate" : "2022-08-15T05:53:26.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.0.9",
"releaseDate" : "2017-08-01T03:06:07.000+00:00",
"sha1" : "0f27aa4489dbd551d1558923dc7321d99066df0c",
"sha2" : "4929db31151a0f290ed2db22d5a0b90ecf2e27a2a8edea8f30e06783047f7da7",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885489?version=v0.0.9"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885489"
}
}, {
"name" : "github.com/mattn/go-isatty",
"description" : null,
"author" : "mattn",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-isatty",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/mattn/go-isatty",
"latestRelease" : "v0.0.20",
"latestReleaseDate" : "2023-10-17T07:28:21.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.0.4",
"releaseDate" : "2017-11-07T05:05:31.000+00:00",
"sha1" : "0bc5835e0ff641347637593786d86d2e5bf0b82e",
"sha2" : "45c17873e1dca46bb33f3e2c34d3cb41cb0223bc828130fbb29b9c98b7b691cf",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885484?version=v0.0.4"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885484"
}
}, {
"name" : "github.com/mattn/go-runewidth",
"description" : "wcwidth for golang",
"author" : "mattn",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/mattn/go-runewidth",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/mattn/go-runewidth",
"latestRelease" : "v0.0.15",
"latestReleaseDate" : "2023-07-23T16:42:41.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.0.4",
"releaseDate" : "2018-12-10T06:59:43.000+00:00",
"sha1" : "b76f7634c6bc1901bfd7c19d6e760691c501647e",
"sha2" : "5d3475bba223c24e61acc98e40c3fe94352600165e5b9d29e00e4a9994c05d28",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885485?version=v0.0.4"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885485"
}
}, {
"name" : "github.com/nsf/termbox-go",
"description" : "Pure Go termbox implementation",
"author" : "nsf",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/nsf/termbox-go",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/nsf/termbox-go",
"latestRelease" : "v1.1.1",
"latestReleaseDate" : "2021-04-21T21:08:13.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "HEAD",
"releaseDate" : "2022-02-26T16:59:14.000+00:00",
"sha1" : "c830276a0978a9ed515d8cdef949e52043e77e57",
"sha2" : "fac5ade7c7aa1da780569fc17d8a6d92269fe7bf3a1cc30f7536153a428d9ac7",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885482?version=HEAD"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885482"
}
}, {
"name" : "github.com/nwidger/jsoncolor",
"description" : "Colorized JSON output for Go https://godoc.org/github.com/nwidger/jsoncolor",
"author" : "nwidger",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/nwidger/jsoncolor",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/nwidger/jsoncolor",
"latestRelease" : "v0.3.2",
"latestReleaseDate" : "2023-03-21T23:52:41.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "HEAD",
"releaseDate" : "2023-05-21T12:31:00.000+00:00",
"sha1" : "00a15388dda6d719be26a60fbf61d497f12b267c",
"sha2" : "709df6ad8078ca89935c1ba672eae0496110f1cdc8402c9cd63ce812ac815518",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885483?version=HEAD"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885483"
}
}, {
"name" : "github.com/pkg/errors",
"description" : "Simple error handling primitives",
"author" : "pkg",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/pkg/errors",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/pkg/errors",
"latestRelease" : "v0.9.1",
"latestReleaseDate" : "2020-01-14T19:47:44.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.8.0",
"releaseDate" : "2016-09-29T01:48:01.000+00:00",
"sha1" : "0d8a444154964eb986fa87e864969eb117a00e86",
"sha2" : "26c9a83605db95ab1e34941538ad048f069d97116fd2d5e6d2f49893b7705440",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "BSD2",
"license" : "BSD 2-Clause \"Simplified\" or \"FreeBSD\" License (BSD-2-Clause)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-2-Clause"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885384?version=v0.8.0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885384"
}
}, {
"name" : "github.com/simeji/jid",
"description" : "json incremental digger",
"author" : "simeji",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "github.com/simeji/jid",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://github.com/simeji/jid",
"latestRelease" : "v0.7.6",
"latestReleaseDate" : "2019-03-31T19:19:17.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.7.6",
"releaseDate" : "2019-03-31T19:19:17.000+00:00",
"sha1" : "64633c7732f5aa26707af9c4893752b0e1313052",
"sha2" : "e6419dfab3a6c8929277368aaa8cca39e5c74b35ed446c4093120b75496d2d80",
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "MIT",
"license" : "MIT license (MIT)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "MIT"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885487?version=v0.7.6"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885487"
}
}, {
"name" : "golang.org/x/text",
"description" : null,
"author" : "",
"authorUrl" : null,
"language" : "GO",
"coordinateType" : "GO",
"coordinate1" : "golang.org/x/text",
"coordinate2" : "",
"bugTrackerUrl" : null,
"codeRepoType" : "GIT",
"codeRepoUrl" : "https://go.googlesource.com/text",
"latestRelease" : "v0.16.0",
"latestReleaseDate" : "2024-05-14T20:26:09.000+00:00",
"recommendedVersion" : null,
"versions" : [ {
"version" : "v0.3.5",
"releaseDate" : "2020-12-08T00:13:44.000+00:00",
"sha1" : null,
"sha2" : null,
"bytecodeHash" : null,
"platform" : "",
"licenses" : [ {
"name" : "BSD3",
"license" : "BSD 3-Clause \"New\" or \"Revised\" License (BSD-3-Clause)",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-3-Clause"
}, {
"name" : "BSD3CLEAR",
"license" : "BSD 3-Clause Clear License",
"fromParentPom" : false,
"risk" : "LOW",
"spdxId" : "BSD-3-Clause-Clear"
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885430?version=v0.3.5"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/885430"
}
} ],
"vulnerabilities" : [ {
"disclosureDate" : "2021-08-18T00:00:00.000+00:00",
"cve" : "2021-38561",
"title" : "Denial Of Service (DoS)",
"overview" : "github.com/golang/text is vulnerable to Denial Of Service (DoS). The vulnerability exists because an incorrectly formatted language tag may cause the parse to panic due to an out of bounds read, resulting in an application crash.",
"language" : "GO",
"vulnerabilityTypes" : [ "Denial of Service" ],
"cvssScore" : 5.0,
"cvss3Score" : 7.5,
"cvssVector" : "",
"cvss3Vector" : "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2021-38561",
"epssStatus" : "match found",
"epssScore" : 0.00101,
"epssPercentile" : 0.42071,
"epssScoreDate" : "2024-07-11",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "v0.3.7",
"versionRange" : "v0.1.0-v0.3.6",
"fixText" : "",
"patch" : "https://github.com/golang/text/commit/383b2e75a7a4198c42f8f87833eefb772868a56f"
} ],
"_links" : {
"ref" : "/records/0/libraries/11/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/35167"
}
}, {
"disclosureDate" : "2022-10-11T00:00:00.000+00:00",
"cve" : "2022-32149",
"title" : "Denial Of Service (DoS)",
"overview" : "golang.org/x/text is vulnerable to denial of service. The vulnerability exists in the `ParseAcceptLanguage` function of `parse.go`, allowing an attacker to cause an application crash through the maliciously crafted Accept-Language header.",
"language" : "GO",
"vulnerabilityTypes" : [ "Denial of Service" ],
"cvssScore" : 4.3,
"cvss3Score" : 7.5,
"cvssVector" : "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"cvss3Vector" : "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"hasExploits" : false,
"exploitability" : {
"exploitServiceStatus" : "available",
"cveFull" : "CVE-2022-32149",
"epssStatus" : "match found",
"epssScore" : 0.00239,
"epssPercentile" : 0.62282,
"epssScoreDate" : "2024-07-11",
"epssModelVersion" : "v2023.03.01",
"epssCitation" : "See EPSS at https://www.first.org/epss",
"exploitObserved" : false
},
"libraries" : [ {
"details" : [ {
"updateToVersion" : "v0.3.8",
"versionRange" : "v0.1.0-v0.3.7",
"fixText" : "",
"patch" : "https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c"
} ],
"_links" : {
"ref" : "/records/0/libraries/11/versions/0"
}
} ],
"_links" : {
"html" : "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/37577"
}
} ],
"unmatchedLibraries" : [ ],
"vulnMethods" : [ {
"calls" : [ {
"method" : {
"className" : "golang.org/x/text/language",
"descriptor" : null,
"id" : 0,
"methodName" : "Parse",
"moduleName" : "golang.org/x/text"
},
"callChains" : [ [ {
"callee" : {
"className" : "golang.org/x/text/language",
"descriptor" : null,
"id" : 0,
"methodName" : "Parse",
"moduleName" : "golang.org/x/text"
},
"caller" : {
"className" : "github.com/srcclr/example-go-modules/sub3",
"descriptor" : null,
"id" : 0,
"methodName" : "Baz",
"moduleName" : "github.com/srcclr/example-go-modules"
},
"fileName" : "sub3.go",
"internal" : true,
"lineNumber" : 11
} ] ]
} ],
"links" : [ {
"ref" : "/records/0/libraries/11/versions/0"
}, {
"vulnerability" : "/records/0/vulnerabilities/0"
} ]
} ],
"componentMetrics" : [ {
"github.com/bitly/go-simplejson" : {
"age" : 2988,
"codeRepoUrl" : "https://github.com/bitly/go-simplejson",
"filesChanged" : 64,
"lastRefresh" : "02-Jul-2024",
"libraryId" : 885486,
"linesAdded" : 1178,
"linesRemoved" : 1124,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 0,
"numCommitsPast30Days" : 0,
"numCommitters" : 9,
"numberOfCommits" : 22,
"stagnation" : 392
},
"links" : [ {
"ref" : "/records/0/libraries/0"
} ]
}, {
"github.com/fatih/color" : {
"age" : 2385,
"codeRepoUrl" : "https://github.com/fatih/color",
"filesChanged" : 3001,
"lastRefresh" : null,
"libraryId" : 885488,
"linesAdded" : 671836,
"linesRemoved" : 670580,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 21,
"numCommitsPast30Days" : 0,
"numCommitters" : 26,
"numberOfCommits" : 115,
"stagnation" : 73
},
"links" : [ {
"ref" : "/records/0/libraries/1"
} ]
}, {
"github.com/google/go-github" : {
"age" : 3458,
"codeRepoUrl" : "https://github.com/google/go-github",
"filesChanged" : 7412,
"lastRefresh" : "02-Jul-2024",
"libraryId" : 885153,
"linesAdded" : 258960,
"linesRemoved" : 76338,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 214,
"numCommitsPast30Days" : 9,
"numCommitters" : 708,
"numberOfCommits" : 1882,
"stagnation" : 0
},
"links" : [ {
"ref" : "/records/0/libraries/2"
} ]
}, {
"github.com/google/go-querystring" : {
"age" : 3312,
"codeRepoUrl" : "https://github.com/google/go-querystring",
"filesChanged" : 80,
"lastRefresh" : "03-Jul-2024",
"libraryId" : 859228,
"linesAdded" : 1085,
"linesRemoved" : 393,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 4,
"numCommitsPast30Days" : 0,
"numCommitters" : 14,
"numberOfCommits" : 55,
"stagnation" : 54
},
"links" : [ {
"ref" : "/records/0/libraries/3"
} ]
}, {
"github.com/mattn/go-colorable" : {
"age" : 2433,
"codeRepoUrl" : "https://github.com/mattn/go-colorable",
"filesChanged" : 188,
"lastRefresh" : null,
"libraryId" : 885489,
"linesAdded" : 1936,
"linesRemoved" : 661,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 12,
"numCommitsPast30Days" : 2,
"numCommitters" : 20,
"numberOfCommits" : 129,
"stagnation" : 10
},
"links" : [ {
"ref" : "/records/0/libraries/4"
} ]
}, {
"github.com/mattn/go-isatty" : {
"age" : 3189,
"codeRepoUrl" : "https://github.com/mattn/go-isatty",
"filesChanged" : 230,
"lastRefresh" : "06-Jul-2024",
"libraryId" : 885484,
"linesAdded" : 1291,
"linesRemoved" : 544,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 1,
"numCommitsPast30Days" : 0,
"numCommitters" : 29,
"numberOfCommits" : 127,
"stagnation" : 263
},
"links" : [ {
"ref" : "/records/0/libraries/5"
} ]
}, {
"github.com/mattn/go-runewidth" : {
"age" : 2807,
"codeRepoUrl" : "https://github.com/mattn/go-runewidth",
"filesChanged" : 257,
"lastRefresh" : null,
"libraryId" : 885485,
"linesAdded" : 8579,
"linesRemoved" : 6222,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 15,
"numCommitsPast30Days" : 0,
"numCommitters" : 15,
"numberOfCommits" : 134,
"stagnation" : 42
},
"links" : [ {
"ref" : "/records/0/libraries/6"
} ]
}, {
"github.com/nsf/termbox-go" : {
"age" : 2584,
"codeRepoUrl" : "https://github.com/nsf/termbox-go",
"filesChanged" : 226,
"lastRefresh" : "02-Jul-2024",
"libraryId" : 885482,
"linesAdded" : 3458,
"linesRemoved" : 692,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 0,
"numCommitsPast30Days" : 0,
"numCommitters" : 54,
"numberOfCommits" : 150,
"stagnation" : 875
},
"links" : [ {
"ref" : "/records/0/libraries/7"
} ]
}, {
"github.com/pkg/errors" : {
"age" : 1813,
"codeRepoUrl" : "https://github.com/pkg/errors",
"filesChanged" : 272,
"lastRefresh" : null,
"libraryId" : 885384,
"linesAdded" : 4675,
"linesRemoved" : 2035,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 0,
"numCommitsPast30Days" : 0,
"numCommitters" : 44,
"numberOfCommits" : 160,
"stagnation" : 438
},
"links" : [ {
"ref" : "/records/0/libraries/9"
} ]
}, {
"github.com/simeji/jid" : {
"age" : 2588,
"codeRepoUrl" : "https://github.com/simeji/jid",
"filesChanged" : 354,
"lastRefresh" : "03-Jul-2024",
"libraryId" : 885487,
"linesAdded" : 10060,
"linesRemoved" : 3531,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 4,
"numCommitsPast30Days" : 0,
"numCommitters" : 16,
"numberOfCommits" : 134,
"stagnation" : 359
},
"links" : [ {
"ref" : "/records/0/libraries/10"
} ]
}, {
"golang.org/x/text" : {
"age" : 3408,
"codeRepoUrl" : "https://go.googlesource.com/text",
"filesChanged" : 3019,
"lastRefresh" : "29-Jun-2024",
"libraryId" : 885430,
"linesAdded" : 1034017,
"linesRemoved" : 537980,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 9,
"numCommitsPast30Days" : 0,
"numCommitters" : 74,
"numberOfCommits" : 599,
"stagnation" : 45
},
"links" : [ {
"ref" : "/records/0/libraries/11"
} ]
} ]
} ]
}
The --component-metrics flag is optional. When used, it displays health metrics for components identified during the scan. The "componentMetrics" section in the JSON response only includes components for which metrics were successfully retrieved.
Library references for vulnerabilities
The vulnerability information provided does not include library names directly in the JSON components. This is because the vulnerabilities include references to the library for parsing in the "ref" keys. As an example, if I wanted to extract the library information for the following vulnerability:
{
"disclosureDate": "2016-04-06T00:00:00.000+00:00",
"cve": "2016-1000027",
"title": "Remote Code Execution (RCE)",
"overview": "spring-web is vulnerable to remote code execution (RCE). When it is used with external endpoints regardless of endpoints being authenticated or not, the function `HttpInvokerServiceExporter: readRemoteInvocation` allows deserialization of untrusted object if the endpoints are exposed to untrusted clients. It depends on the implementation within a product to mandate an authentication and to protect an application from an authenticated deserialization. The vendor has claimed the behavior to be as intended, but has deprecated the vulnerable Sun's JDK HTTP server classes in version 6.0.0.\n",
"language": "JAVA",
"vulnerabilityTypes": ["Other"],
"cvssScore": 7.5,
"cvss3Score": 9.8,
"cvssVector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss3Vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"hasExploits": false,
"exploitability": {
"exploitServiceStatus": "available",
"cveFull": "CVE-2016-1000027",
"epssStatus": "match found",
"epssScore": 0.02444,
"epssPercentile": 0.89864,
"epssScoreDate": "2024-04-30",
"epssModelVersion": "v2023.03.01",
"epssCitation": "See EPSS at https://www.first.org/epss",
"exploitObserved": false
},
"libraries": [
{
"details": [
{
"updateToVersion": "6.0.0",
"versionRange": "4.0.0.M1-5.3.34",
"fixText": "",
"patch": "https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f#diff-5b4db0e368d81fcb05337a6147fbc73de0b536109a58cb50acf7e0f40dd61243"
}
],
"_links": {
"ref": "/records/0/libraries/14/versions/0"
}
}
],
"_links": {
"html": "https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/22252"
}
}
You can use the bash application, jq, and run the following command to obtain that information using the ref:
## "ref" : "/records/0/libraries/14/versions/0"
jq '.records[0].libraries[14]'
For seeing the specific version of a particular library, do the following:
## "ref" : "/records/0/libraries/14/versions/0"
jq '.records[0].libraries[14].versions[0]'
Library and vulnerability references for vulnerabile methods
The "vulnMethods" section does not include library or vulnerability information directly in the JSON components. This is because the vulnerable methods include references to the library for parsing in the "ref" keys and for the vulnerability in the "vulnerability" keys. For example:
"vulnMethods" : [ {
"calls" : [ {
"method" : {
"className" : "golang.org/x/text/language",
"descriptor" : null,
"id" : 0,
"methodName" : "Parse",
"moduleName" : "golang.org/x/text"
},
"callChains" : [ [ {
"callee" : {
"className" : "golang.org/x/text/language",
"descriptor" : null,
"id" : 0,
"methodName" : "Parse",
"moduleName" : "golang.org/x/text"
},
"caller" : {
"className" : "github.com/srcclr/example-go-modules/sub3",
"descriptor" : null,
"id" : 0,
"methodName" : "Baz",
"moduleName" : "github.com/srcclr/example-go-modules"
},
"fileName" : "sub3.go",
"internal" : true,
"lineNumber" : 11
} ] ]
} ],
"links" : [ {
"ref" : "/records/0/libraries/11/versions/0"
}, {
"vulnerability" : "/records/0/vulnerabilities/0"
} ]
} ]
To extract the library information from this vulnerable method, you can use the bash application, jq, to run the following command:
## "ref" : "/records/0/libraries/11/versions/0"
jq '.records[0].libraries[11].versions[0]'
To extract vulnerability information from the vulnerable method, you can run the following command with jq:
## "vulnerability" : "/records/0/vulnerabilities/0"
jq '.records[0].vulnerabilities[0]'
Library references for component metrics
The component metrics information provided does not include all library data directly in the JSON components. This is because the metrics include references to the library for parsing in the "ref" keys. For example, to extract the library information for the following component metrics:
{
"golang.org/x/text" : {
"age" : 3408,
"codeRepoUrl" : "https://go.googlesource.com/text",
"filesChanged" : 3019,
"lastRefresh" : "29-Jun-2024",
"libraryId" : 885430,
"linesAdded" : 1034017,
"linesRemoved" : 537980,
"metricsStatus" : "match found",
"numCommitsPast12Months" : 9,
"numCommitsPast30Days" : 0,
"numCommitters" : 74,
"numberOfCommits" : 599,
"stagnation" : 45
},
"links" : [ {
"ref" : "/records/0/libraries/11"
} ]
}
To obtain this information with the jq bash application and the ref, run:
## "ref" : "/records/0/libraries/11"
jq '.records[0].libraries[11]'