Skip to main content

Sample Workflow

Scan for Components

First, scan your codebase to detect all related components: 
# Scan directory with dependency detection
scanoss-py scan /path/to/your/code \
  --dependencies \
  --output results.json \
  --apiurl https://api.scanoss.com/scan/direct \
  --key "$SCANOSS_API_KEY"

Extract Component PURLs

Extract Package URLs (PURLs) from the scan results for further analysis: 
# Extract all PURLs with versions
jq -r '.[].[] | select(.purl != null) | .purl[] as $purl | "\($purl)@\(.version)"' results.json

# Extract unique PURLs
jq -r '.[].[] | select(.purl != null) | .purl[]' results.json | sort -u

# Save PURLs to file for batch processing
jq -r '.[].[] | select(.purl != null) | .purl[] as $purl | "\($purl)@\(.version)"' results.json > purls.txt
Sample Output: 
pkg:npm/lodash@4.17.20

Query Vulnerabilities

Query Single Component

Query vulnerabilities for a single component using its PURL: 
scanoss-py comp vulns \
  --purl "pkg:npm/lodash@4.17.20" \
  --key "$SCANOSS_API_KEY"
Sample Output: 
{
  "components": [
    {
      "purl": "pkg:npm/lodash",
      "requirement": "4.17.20",
      "version": "4.17.20",
      "vulnerabilities": [
        {
          "cve": "CVE-2020-28500",
          "id": "CVE-2020-28500",
          "modified": "2024-11-21",
          "published": "2021-02-15",
          "severity": "MEDIUM",
          "source": "NVD",
          "summary": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via ...",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500"
        },
        {
          "cve": "CVE-2021-23337",
          "id": "CVE-2021-23337",
          "modified": "2024-11-21",
          "published": "2021-02-15",
          "severity": "HIGH",
          "source": "NVD",
          "summary": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337"
        },
        {
          "cve": "CVE-2020-28500",
          "cvss": [
            {
              "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "cvss_score": 5.3,
              "cvss_severity": "MEDIUM"
            }
          ],
          "id": "GHSA-29mw-wpgm-hmr9",
          "modified": "2025-09-29",
          "published": "2022-01-06",
          "severity": "MODERATE",
          "source": "OSV",
          "summary": "Regular Expression Denial of Service (ReDoS) in lodash",
          "url": "https://osv.dev/vulnerability/CVE-2020-28500"
        },
        {
          "cve": "CVE-2021-23337",
          "cvss": [
            {
              "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "cvss_score": 7.2,
              "cvss_severity": "HIGH"
            }
          ],
          "id": "GHSA-35jh-r3h4-6jhm",
          "modified": "2025-08-12",
          "published": "2021-05-06",
          "severity": "HIGH",
          "source": "OSV",
          "summary": "Command Injection in lodash",
          "url": "https://osv.dev/vulnerability/CVE-2021-23337"
        }
      ]
    }
  ],
  "status": {
    "message": "Success",
    "status": "SUCCESS"
  }
}

Query Multiple Components

Query multiple PURLs using an inpit file: 
# Create PURL input file
cat > purl-list.json << 'EOF'
{
  "components": [
    {
      "purl": "pkg:npm/lodash@4.17.20",
      "requirement": "4.17.20"
    },
    {
      "purl": "pkg:pypi/requests@2.25.0",
      "requirement": "2.25.0"
    },
    {
      "purl": "pkg:maven/org.apache.commons/commons-collections4@4.0",
      "requirement": "4.0"
    }
  ]
}
EOF

# Query all components
scanoss-py comp vulns \
  -i purl-list.json \
  --key "$SCANOSS_API_KEY"
Sample output: 
{
  "components": [
    {
      "purl": "pkg:npm/lodash@4.17.20",
      "requirement": "4.17.20",
      "version": "4.17.20",
      "vulnerabilities": [
        {
          "cve": "CVE-2020-28500",
          "id": "CVE-2020-28500",
          "modified": "2024-11-21",
          "published": "2021-02-15",
          "severity": "MEDIUM",
          "source": "NVD",
          "summary": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via ...",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500"
        },
        {
          "cve": "CVE-2021-23337",
          "id": "CVE-2021-23337",
          "modified": "2024-11-21",
          "published": "2021-02-15",
          "severity": "HIGH",
          "source": "NVD",
          "summary": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337"
        }
      ]
    },
    {
      "purl": "pkg:pypi/requests@2.25.0",
      "requirement": "2.25.0",
      "version": "2.25.0",
      "vulnerabilities": [
        {
          "cve": "CVE-2023-32681",
          "id": "CVE-2023-32681",
          "modified": "2025-02-13",
          "published": "2023-05-26",
          "severity": "MEDIUM",
          "source": "NVD",
          "summary": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization head...",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681"
        }
      ]
    },
    {
      "purl": "pkg:maven/org.apache.commons/commons-collections4@4.0",
      "requirement": "4.0",
      "version": "4.0",
      "vulnerabilities": [
        {
          "cve": "CVE-2015-6420",
          "id": "CVE-2015-6420",
          "modified": "2025-04-12",
          "published": "2015-12-15",
          "severity": "HIGH",
          "source": "NVD",
          "summary": "Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and C...",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6420"
        }
      ]
    },
    {}
  ],
  "status": {
    "message": "Success",
    "status": "SUCCESS"
  }
}