Querying Vulnerability Information About an Artifact Scan
Function
This API is used to query vulnerability information about an artifact scan.
Constraints
This API is only supported by SWR Enterprise Edition instances v25.7.20 or later.
Calling Method
For details, see Calling APIs.
Authorization Information
Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.
- If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
- If you are using identity policy-based authorization, no identity policy-based permission required for calling this API.
URI
GET /v2/{project_id}/instances/{instance_id}/namespaces/{namespace_name}/repositories/{repository_name}/artifacts/{reference}/vulnerabilities
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
project_id |
Yes |
String |
Project ID. |
|
instance_id |
Yes |
String |
ID of an SWR Enterprise Edition instance. |
|
namespace_name |
Yes |
String |
Namespace name. |
|
repository_name |
Yes |
String |
Repository name. |
|
reference |
Yes |
String |
Artifact digest. |
Request Parameters
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
X-Auth-Token |
Yes |
String |
User token. The token can be obtained by calling the IAM API. The value of X-Subject-Token in the response header is the user token. |
Response Parameters
Status code: 200
|
Parameter |
Type |
Description |
|---|---|---|
|
{User defined key} |
Map<String,VulnerabilityReports> |
Vulnerability report of the application/vnd.security.vulnerability.report; version=1.1 type. |
|
Parameter |
Type |
Description |
|---|---|---|
|
generated_at |
String |
Time when a vulnerability report was generated. |
|
severity |
String |
Overall severity in the artifact scan report. The options are None (no scores), Low (low risk), Medium (medium risk), High (high risk), Critical (critical), and Security (secure). |
|
scanner |
Scanner object |
Scanner information. |
|
vulnerabilities |
Array of vulnerability objects |
Vulnerability list. |
|
Parameter |
Type |
Description |
|---|---|---|
|
name |
String |
Scanner name. |
|
vendor |
String |
Scanner provider. |
|
version |
String |
Scanner version. |
|
Parameter |
Type |
Description |
|---|---|---|
|
id |
String |
Vulnerability ID. |
|
package |
String |
Name of the software package that contains a vulnerability. |
|
version |
String |
Version of the software package that contains a vulnerability. |
|
fix_version |
String |
Version of the software package that fixes a vulnerability. |
|
severity |
String |
Severity of a vulnerability. The options are Low (low risk), Medium (medium risk), High (high risk), and Critical (critical). |
|
description |
String |
Vulnerability description. |
|
links |
Array of strings |
Vulnerability-related links. |
|
artifact_digests |
Array of strings |
Image layers that contain a vulnerability. |
|
preferred_cvss |
preferred_cvss object |
Vulnerability scores and attack vectors based on CVSS3 and CVSS2. |
|
cwe_ids |
Array of strings |
CWE ID list related to a vulnerability. |
|
Parameter |
Type |
Description |
|---|---|---|
|
score_v3 |
Number |
CVSS3 score of a vulnerability. |
|
score_v2 |
Number |
CVSS2 score of a vulnerability. |
|
vector_v3 |
String |
CVSS3 attack vector of a vulnerability. |
|
vector_v2 |
String |
CVSS2 attack vector of a vulnerability. |
Status code: 400
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code. |
|
error_msg |
String |
Error message. |
|
encoded_authorization_message |
String |
Detailed rejection reason after encryption. You can call the API decode-authorization-message of STS to decrypt the reason. |
Status code: 401
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code. |
|
error_msg |
String |
Error message. |
|
encoded_authorization_message |
String |
Detailed rejection reason after encryption. You can call the API decode-authorization-message of STS to decrypt the reason. |
Status code: 403
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code. |
|
error_msg |
String |
Error message. |
|
encoded_authorization_message |
String |
Detailed rejection reason after encryption. You can call the API decode-authorization-message of STS to decrypt the reason. |
Status code: 404
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code. |
|
error_msg |
String |
Error message. |
|
encoded_authorization_message |
String |
Detailed rejection reason after encryption. You can call the API decode-authorization-message of STS to decrypt the reason. |
Status code: 500
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code. |
|
error_msg |
String |
Error message. |
|
encoded_authorization_message |
String |
Detailed rejection reason after encryption. You can call the API decode-authorization-message of STS to decrypt the reason. |
Example Requests
GET https://{endpoint}/v2/{project_id}/instances/{instance_id}/namespaces/{namespace_name}/repositories/{repository_name}/artifacts/{reference}/vulnerabilities
Example Responses
Status code: 200
The vulnerability information about the artifact is queried successfully.
{
"application/vnd.security.vulnerability.report; version=1.1" : {
"generated_at" : "2025-09-12:06:44:31",
"scanner" : {
"name" : "HSS",
"vendor" : "HSS",
"version" : "v5"
},
"severity" : "High",
"vulnerabilities" : [ {
"id" : "CVE-2020-2755",
"package" : "openjdk-8-jre",
"version" : "8u181-b13-2~deb9u1",
"fix_version" : "",
"severity" : "High",
"description" : "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).",
"links" : [ "https://security-tracker.debian.org/tracker/DSA-4668-1" ],
"artifact_digests" : [ "sha256:a48d150ffd2faf9ea63217a7774a75cd3b4a252413810c2239d1ee257efc9e13" ],
"preferred_cvss" : {
"score_v3" : 3.700000047683716,
"score_v2" : 3.7,
"vector_v3" : "",
"vector_v2" : ""
},
"cwe_ids" : [ "" ]
} ]
}
}
Status Codes
|
Status Code |
Description |
|---|---|
|
200 |
The vulnerability information about the artifact is queried successfully. |
|
400 |
Request error. |
|
401 |
Authentication failed. |
|
403 |
Access denied. |
|
404 |
Resource not found. |
|
500 |
Internal error. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
