List issues for a package
The Snyk REST API endpoint List issues for a package can be used to get all direct (non-transitive) vulnerabilities for a package using its purl
, which is a uniform way of identifying software packages across ecosystems as defined in the package URL specification.
When you pass a purl
to the endpoint, Snyk will find any known vulnerabilities for that package and return them as part of the response body.
The API is useful when you have a list of packages and want to retrieve a list of vulnerabilities for a package version.
The examples on this page use HTTPie, but you can use any HTTP client to access the Snyk REST API.
Supported purl types
The current release supports the following purl
types: apk
, cargo
, cocoapods
, composer
, deb
, gem
, generic
, golang
, hex
, npm
, nuget
, pub
, pypi
, rpm
, swift
and maven
.
If you are interested in support for additional ecosystems, submit a request to Snyk Support.
Request for List issues for a package endpoint
To call the API endpoint, use the following HTTP request:
The purl must be URL-encoded.
An example using a valid url-encoded purl follows:
For operating system packages, a vendor must be specified in the namespace portion, and a distro
qualifier must be specified. Supported vendors include: debian
, alpine
, rhel
, ubuntu
, amzn
, centos
, oracle
, rocky
, sles
.
An example using a valid url-encoded operating system purl follows:
The Snyk REST API supports pagination. This has a default page limit of 1000, with a default offset of 0. Current, next, and previous pages are returned as links in the response. The following parameters can be supplied as query parameters: offset
, limit
.
An example paginated request follows:
Response for List issues for a package endpoint
The expected output provides a JSON API response that identifies the vulnerabilities associated with the package.
The following example gives the response for a pypi
package django.
The response provides a list of the vulnerabilities found for the package identified by the purl in the request. The response begins with a description of a vulnerability:
Overview of package
Affected versions of this package are vulnerable to Denial of Service (DoS) through very large inputs with a specific sequence of characters in the urlize()
and urlizetrunc()
template filters.
Remediation
Upgrade the package version to 4.2.15,5.0.8 to fix this vulnerability
Response details
The response is continuous, divided here to allow for explanations.
For each vulnerability, the response provides the following:
The Snyk issue ID and issue types:
General metadata about the vulnerability, including title, timestamps relevant to the vulnerability such as publication and disclosure time, and description:
The CVE and CWE identifiers:
The severity or severities of the vulnerability:
Starting in June 2024, all new advisories identified by Snyk Open Source are provided with both CVSS v4.0 and CVSS v3.1 severities. For the most accurate severity assessments, Snyk recommends using CVSS v4.0 when it is available.
Any fixes available for that vulnerability and the representation for vulnerable versions:
Links to any external resources with further information on the vulnerability:
Package metadata is returned, including the following:
Package name
Package type
Package URL specification
Package version
Where applicable, pagination links for the results are included as follows:
Next path (if applicable)
Previous path (if applicable)
Current path
Troubleshooting for the List issues for a package endpoint
The following are error states that you may receive when using the API. If you experience issues not covered here or are having trouble resolving these, contact your Solution Engineer or Technical Success Manager, or submit a request to Snyk Support.
Invalid PURL 400 Ensure that the purl specification you provided is a valid purl. For more information, see the Package URL specification.
Unsupported Ecosystem 400 Ensure that the package type is one of the supported purl types.
Package requested without namespace 400 Ensure you specify a namespace in the package URL and then try again. For more information, see the Package URL specification.
Purl component not supported 400 Remove the component that is not supported and try to make the request again. The endpoint accepts only particular components. For more information, see the Package URL specification.
Your organization is not authorized to perform this action. 403 To get access, contact your Solutions Engineer or Technical Success Manager, or the administrator for your team.
Rate limit exceeded 429 180 requests per minute per user are permitted on this API endpoint. If you exceed this volume, you will receive a 429 error response code.
Invalid pagination parameters 400 The limit and offset supplied query parameters must be as follows:
Limit > 0 and <= 1000
Offset >= 0
The default parameters for this request are limit = 1000, and offset >= 0.
Authorization request failure 500 This issue is unexpected, and the service should recover quickly. If it does not, submit a request to Snyk Support.
Internal server error 500 This issue is unexpected, and the service should recover quickly. If it does not, submit a request to Snyk Support.
Vulnerability service unavailable 503 This issue is unexpected, and the service should recover quickly. If it does not, submit a request to Snyk Support.
Vulnerability service error 500 This issue is unexpected, and the service should recover quickly. If it does not, submit a request to Snyk Support.
An example of this error response follows:
Last updated