Artifact Summary

Xray REST APIs

Products
JFrog Xray
Content Type
REST API
ft:sourceType
Paligo

Description: Provides details about any artifact specified by path identifiers or checksum.

Security: Requires a valid user with "Read" permission.

Usage: POST /xray/api/v1/summary/artifact

Consumes: application/json

Produces: application/json

Path Parameters: None

Query Parameters: None

Request Body:

Name

Type

Required/Optional

Description

paths

array

Either paths or checksums are required. checksums is ignored if both are included.

Array of artifact paths to provide the summary for. The path must start with the artifactory_id where as of Xray version 3.x the path must be set to default i.e path looks like default/repo/folder/artifact

checksums

array

Either paths or checksums are required. checksums are ignored if both are included.

Array of checksums SHA-256 or SHA-1 of the artifacts to provide the summary for.

Response body:

Name

Type

Description

artifacts

array[ArtifactObj]

Array of artifact details

errors

array[ErrorsObj]

Array of error details if any

ArtifactObj:

Name

Type

Description

general

GeneralObj

General information about the artifact

issues

array[IssuesObj]

Array of issues related to the artifact

licenses

array[LicenseObj]

Array of licenses associated with the artifact

operational_risks

array[OperationalRiskObj]

Array of operational risks associated with the artifact

GeneralObj:

Name

Type

Description

component_id

string

Unique identifier for the component

name

string

Name of the artifact

path

string

Path to the artifact

pkg_type

string

Type of the artifact package (e.g., "Docker")

sha256

string

SHA-256 checksum of the artifact

IssuesObj:

Name

Type

Description

issue_id

string

Unique identifier for the issue

summary

string

Summary of the issue

description

string

Detailed description of the issue

issue_type

string

Type of the issue (e.g., "security")

severity

string

Severity level of the issue (e.g., "High")

provider

string

Provider of the issue (e.g., "JFrog")

created

string

Timestamp indicating when the issue was created

impact_path

array[string]

Array of paths indicating the impact of the issue

cves

array[CVEObj]

Array of CVEs associated with the issue

extended_information

ExtendedInfoObj

Additional information about the issue. As of Xray version 3.42.3

applicability

array[ApplicabilityObj]

Array of applicability details

applicability_details

array [ApplicabilityDetailsObj]

Applicability details

component_physical_paths

array[string]

Array of paths indicating the physical location of the component related to the issue

CVEObj:

Name

Type

Description

cve

string

CVE identifier

cwe

array[string]

Array of CWEs associated with the CVE

cvss_v2

string

CVSS version 2 score

cvss_v3

string

CVSS version 3 score

ExtendedInfoObj:

Name

Type

Description

short_description

string

A brief description of the issue. Field is markdown text.

full_description

string

Full description of the issue. Field is markdown text.

jfrog_research_severity

string

Severity of the issue according to JFrog research

jfrog_research_severity_reasons

array[SeverityReasonObj]

Reasons for the severity assigned by JFrog research

remediation

string

Remediation steps for the issue. Field is markdown text.

SeverityReasonObj:

Name

Type

Description

name

string

The reason for the severity assessment.

description

string

Detailed explanation supporting the severity assessment.

is_positive

boolean

Indicates whether the reason contributes positively to the severity assessment.

ApplicabilityDetailsObj

Name

Type

Description

component_id

string

Component id of the artifact

source_comp_id

string

Component id of the vulnerable package

vulnerability_id

string

Cve id

result

string

Contextual Analysis result.

Possible values: not_scanned, applicable,

not_applicable, undetermined, rescan_required, upgrade_required, not_covered

ApplicabilityObj:

Name

Type

Description

scanner_available

boolean

Indicates whether a scanner is available to check the applicability of the issue

component_id

string

Identifier for the component or environment where the issue is applicable

source_comp_id

string

Identifier for the source component or environment where the issue was detected

cve_id

string

Identifier for the CVE associated with the issue

scan_status

integer

Status of the scan (e.g., 1 for successful, 0 for unsuccessful)

applicability

boolean

Indicates whether the issue is applicable to the specified component or environment

scanner_explanation

string

Explanation provided by the scanner regarding the applicability check

evidence

array[EvidenceObj]

Evidence or additional information related to the applicability check

info

string

Additional information about the applicability of the issue

details

array[DetailsObj]

Additional details or notes regarding the applicability of the issue

EvidenceObj:

Field Name

Type

Description

column_names

array[string]

Names of the columns in the evidence data

rows

array[array[string]]

Rows of evidence data, each containing specific details about the issue

DetailsObj:

Field Name

Type

Description

file_path

string

File path or location where the issue was detected

details

string

Detailed information about the applicability of the issue

LicensesObj:

Name

Type

Description

name

string

Name of the license

full_name

string

Full name of the license

more_info_url

array[string]

Array of URLs providing more information about the license

components

array[string]

Array of components covered by the license

OperationalRiskObj:

Name

Type

Description

component_id

string

Identifier for the component

risk

string

Level of risk associated with the component

risk_reason

string

Reason for the risk assessment

is_eol

boolean

Flag indicating if the component is end-of-life

eol_message

string

Message about the end-of-life status of the component

latest_version

string

Latest version of the component available

newer_versions

integer

Number of newer versions available for the component

cadence

integer

Cadence of new releases for the component

commits

integer

Number of commits for the component

committers

integer

Number of committers for the component

released

string

Timestamp indicating when the component was released

ErrorsObj:

Name

Type

Description

identifier

string

Unique identifier for the error

error

string

Description of the error

Response Codes:

Status code

Description

200

OK

415

Failed to parse JSON

Example Request:

{ "checksums": ["d160c68ed8879ae42756e159daec1dd7ecfd53b6192321656b72715e20d46dd2"]
}

Example Response:

{
    "artifacts": [
        {
            "general": {
                "name": "moment-2.29.3.tar.gz",
                "component_id": "moment-2.29.3.tar.gz",
                "pkg_type": "Generic",
                "path": "default/npm-local/moment-2.29.3.tar.gz",
                "sha256": "8240b88c4879b771bdc2ab571fe26d8c10dc92f0e1c130ae468a01ef8d57fe52"
            },
            "issues": [
                {
                    "issue_id": "XRAY-230778",
                    "summary": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.",
                    "description": "### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.",
                    "issue_type": "security",
                    "severity": "High",
                    "provider": "JFrog",
                    "cves": [
                        {
                            "cve": "CVE-2022-31129",
                            "cwe": [
                                "CWE-1333",
                                "CWE-400"
                            ],
                            "cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
                            "cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        }
                    ],
                    "created": "2022-07-12T00:00:00.828Z",
                    "impact_path": [
                        "default/npm-local/moment-2.29.3.tar.gz/moment-2.29.3/Moment.js.nuspec"
                    ],
                    "extended_information": {
                        "short_description": "ReDoS in moment.js could lead to a denial of service when handling untrusted strings.",
                        "full_description": "[`moment`](https://momentjs.com/) is a JavaScript library that enables parsing of date and time strings.\n\nIn `moment`'s exported function, a vulnerability exists when trying to parse a date string. A maliciously crafted string that is parsed by `moment` may lead to excessive CPU consumption and ultimately a denial of service. More specifically, the regex used is `/\\([^)]*\\)|[\\n\\t]/g`, and after finding the first `(`, the regex engine will try to match all subsequent substrings until `)` is found.",
                        "jfrog_research_severity": "Medium",
                        "jfrog_research_severity_reasons": [
                            {
                                "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
                                "description": "An attacker must find remote input that propagates to the `moment` exported function",
                                "is_positive": true
                            },
                            {
                                "name": "The issue has an exploit published",
                                "description": "Public exploit demonstrated ReDoS",
                                "is_positive": false
                            },
                            {
                                "name": "The issue has a detailed technical explanation published, that can aid in exploit development",
                                "is_positive": false
                            }
                        ]
                    },
                    "applicability": null,
                    "component_physical_paths": [
                        "moment-2.29.3/Moment.js.nuspec"
                    ]
                },
                {
                    "issue_id": "XRAY-230783",
                    "summary": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.",
                    "description": "### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.",
                    "issue_type": "security",
                    "severity": "High",
                    "provider": "JFrog",
                    "cves": [
                        {
                            "cve": "CVE-2022-31129",
                            "cwe": [
                                "CWE-1333",
                                "CWE-400"
                            ],
                            "cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
                            "cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        }
                    ],
                    "created": "2022-07-12T00:00:00.797Z",
                    "impact_path": [
                        "default/npm-local/moment-2.29.3.tar.gz/moment-2.29.3/package.json"
                    ],
                    "extended_information": {
                        "short_description": "ReDoS in moment.js could lead to a denial of service when handling untrusted strings.",
                        "full_description": "[`moment`](https://momentjs.com/) is a JavaScript library that enables parsing of date and time strings.\n\nIn `moment`'s exported function, a vulnerability exists when trying to parse a date string. A maliciously crafted string that is parsed by `moment` may lead to excessive CPU consumption and ultimately a denial of service. More specifically, the regex used is `/\\([^)]*\\)|[\\n\\t]/g`, and after finding the first `(`, the regex engine will try to match all subsequent substrings until `)` is found.",
                        "jfrog_research_severity": "Medium",
                        "jfrog_research_severity_reasons": [
                            {
                                "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
                                "description": "An attacker must find remote input that propagates to the `moment` exported function",
                                "is_positive": true
                            },
                            {
                                "name": "The issue has an exploit published",
                                "description": "Public exploit demonstrated ReDoS",
                                "is_positive": false
                            },
                            {
                                "name": "The issue has a detailed technical explanation published, that can aid in exploit development",
                                "is_positive": false
                            }
                        ]
                    },
                    "applicability": null,
                    "component_physical_paths": [
                        "moment-2.29.3/package.json"
                    ]
                }
            ],
            "licenses": [
                {
                    "name": "MIT",
                    "full_name": "MIT License",
                    "more_info_url": [
                        "https://opensource.org/licenses/MIT",
                        "http://www.opensource.org/licenses/MIT",
                        "http://www.opensource.org/licenses/mit-license.php",
                        "https://spdx.org/licenses/MIT",
                        "https://spdx.org/licenses/MIT.html"
                    ],
                    "components": [
                        "npm://moment:2.29.3",
                        "nuget://Moment.js:2.29.3"
                    ]
                }
            ],
            "operational_risks": [
                {
                    "component_id": "npm://moment:2.29.3",
                    "risk": "High",
                    "risk_reason": "Health",
                    "is_eol": null,
                    "eol_message": "",
                    "latest_version": "2.29.4",
                    "newer_versions": 1,
                    "cadence": 1,
                    "commits": null,
                    "committers": null,
                    "released": "2022-04-17T18:27:04Z"
                }
            ]
        }
    ]
}

Example of successful response with CVE Research and Enrichment:

{
    "artifacts": [
        {
            "general": {
                "name": "example_app:latest",
                "component_id": "example_app:latest",
                "pkg_type": "Docker",
                "path": "default/docker_containers/example/latest/",
                "sha256": "063a3067cb61add7ad3280bcccccea3c4efe4f16cf2beef27900f8045e3a0"
            },
            "issues": [
                {
                    "issue_id": "XRAY-97724",
                    "summary": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.",
                    "description": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.",
                    "issue_type": "security",
                    "severity": "High",
                    "provider": "JFrog",
                    "cves": [
                        {
                            "cve": "CVE-2018-20225",
                            "cwe": [
                                "CWE-20"
                            ],
                            "cvss_v2": "6.8/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P",
                            "cvss_v3": "7.8/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
                        }
                    ],
                    "created": "2020-05-11T00:00:00.784Z",
                    "impact_path": [
                        "default/docker_containers/example/latest/sha256__063a3067cb61add7ad3280bcccccea3c4efe4f16cf2beef27900f8045e3a0.tar.gz/pip:9.0.1"
                    ],
                    "extended_information": {
                        "short_description": "pip could download private packages from a public PyPI repository leading to code execution",
                        "full_description": "This vulnerability has been disputed by the maintainers of pip as the described behavior, while potentially insecure, is the intended one. If pip is executed with the `--extra-index-url` when using a private PyPI repository, an attacker could cause pip to download a private package (for example one named `private_package`) by adding a package with the same name (`private_package`) in the public PyPI repository. This would lead to remote code execution as pip will download the public package that could contain malicious code. This is similar to the dependency confusion attack from 2021 by Alex Birsan. However, this isn't considered a vulnerability in itself in pip, and there is no plan to patch or change it.",
                        "jfrog_research_severity": "Medium",
                        "jfrog_research_severity_reasons": [
                            {
                                "name": "The CVE can't be remotely exploited",
                                "is_positive": true
                            },
                            {
                                "name": "This CVE has been disputed by the vendor",
                                "description": "Pip maintainers, and others such as [RHEL](https://access.redhat.com/security/cve/cve-2018-20225) do not consider this a vulnerability as it is the intended behaviour",
                                "is_positive": true
                            },
                            {
                                "name": "The CVE was marked as unimportant by the [Debian tracker](https://security-tracker.debian.org/tracker/CVE-2018-20225)",
                                "is_positive": true
                            }
                        ],
                        "remediation": "##### Deployment mitigations\r\n\r\nDo not use the `--extra-index-url` flag with pip and consider using version pinning for deployments."
                    }
                }
            ],
            "licenses": [
                {
                    "name": "Unknown",
                    "full_name": "Unknown license",
                    "more_info_url": [
                        "Unknown link"
                    ],
                    "components": [
                        "deb://ubuntu:bionic:perl-base:5.26.1-6ubuntu0.5",
                        "deb://ubuntu:bionic:libss2:1.44.1-1ubuntu1.3"
                    ]
                }
            ]
        }
    ]
}

Example response with Component Physical Path:

{
  "artifacts": [
    {
      "general": {
        "name": "artifactory-pro:7.29.80",
        "component_id": "artifactory-pro:7.29.80",
        "pkg_type": "Docker",
        "path": "default/docker-local-a/artifactory-pro/7.29.80/",
        "sha256": "4704b659a183fecc786783e826537978249f2dd2d6665b434340dc7cc75016a9"
      },
      "issues": [
        {
          "issue_id": "XRAY-191997",
          "summary": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.",
          "description": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.",
          "issue_type": "security",
          "severity": "Medium",
          "provider": "JFrog",
          "cves": [
            {
              "cve": "CVE-2021-28170",
              "cwe": [
                "CWE-20"
              ],
              "cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N",
              "cvss_v3": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
            }
          ],
          "created": "2021-12-14T00:00:00.537Z",
          "impact_path": [
            "default/docker-local-b/artifactory-pro/7.29.80/sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/artifactory/tomcat/webapps/artifactory.war/WEB-INF/lib/jakarta.el-3.0.3.jar",
            "default/docker-local-b/artifactory-pro/7.29.80/sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/misc/tomcat/mc.war/WEB-INF/lib/jakarta.el-3.0.3.jar"
          ],
          "component_physical_paths": [
            "sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/artifactory/tomcat/webapps/artifactory.war/WEB-INF/lib/jakarta.el-3.0.3.jar",
            "sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/misc/tomcat/mc.war/WEB-INF/lib/jakarta.el-3.0.3.jar"
          ]
        }
      ]
    }
  ]
}

Example response with Operational Risk object:

{
  "artifacts": [
    {
      "general": {
        "name": "datanucleus-core-3.0.4.jar",
        "component_id": "org.datanucleus:datanucleus-core:3.0.4",
        "pkg_type": "Maven",
        "path": "default/generic-local/datanucleus-core-3.0.4.jar",
        "sha256": "5a30df15b3de7c0c349c76e33c12d3f5142a92e81e3fe827e723ba13c662de92"
      },
      "issues": [],
      "licenses": [],
      "operational_risks": [
        {
          "component_id": "gav://org.datanucleus:datanucleus-core:3.0.4",
          "risk": "High",
          "risk_reason": "Health",
          "is_eol": null,
          "eol_message": "",
          "latest_version": "6.0.0-m4",
          "newer_versions": 120,
          "cadence": 1,
          "commits": null,
          "committers": null,
          "released": "2012-12-12T20:02:00Z"
        }
      ]
    }
  ]
}

Example response with Contextual Analysis:

{
    "artifacts": [
        {
            "general": {
                "name": "student-services-security-0.0.1-20230711.143048-1_34dca0.jar",
                "component_id": "com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
                "pkg_type": "Maven",
                "path": "default/maven-local/student-services-security-0.0.1-20230711.143048-1_34dca0.jar",
                "sha256": "f2f04c0408e3cf4d09231481a5903fab0bb818e350f58ab0b3d7e84646708274"
            },
            "issues": [
                {
                    "issue_id": "XRAY-92904",
                    "summary": "The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.",
                    "description": "The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.",
                    "issue_type": "security",
                    "severity": "High",
                    "provider": "JFrog",
                    "cves": [
                        {
                            "cve": "CVE-2017-18640",
                            "cwe": [
                                "CWE-776"
                            ],
                            "cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
                            "cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        }
                    ],
                    "created": "2019-12-19T00:00:00.460Z",
                    "impact_path": [
                        "default/maven-local/student-services-security-0.0.1-20230711.143048-1_34dca0.jar/BOOT-INF/lib/snakeyaml-1.25.jar"
                    ],
                    "extended_information": {
                        "short_description": "Exponential entity expansion in SnakeYAML leads to denial of service when parsing untrusted YAML data.",
                        "full_description": "[SnakeYAML](https://bitbucket.org/snakeyaml/snakeyaml/) is a popular Java-based YAML parsing that provides a high-level API for serialization and deserialization of YAML documents.\n\nWhen loading a YAML document, SnakeYAML uses recursion to parse Aliases from the document.\n\nIt was discovered that a crafted YAML file containing an exponential entity expansion using the Alias feature can lead to denial of service due to memory exhaustion. This type of attack is called a [Billion laughs attack](https://en.wikipedia.org/wiki/Billion_laughs_attack).\n\nTo exploit this issue, an attacker must find remote input that propagates into the `Yaml.load()` method. Note that the issue can be exploited even if the `Yaml` class is initialized with a `SafeConstructor`:\n```\nYaml yaml = new Yaml(new SafeConstructor());\nyaml.load(external_data);\n```\nA PoC was published [here](https://web.archive.org/web/20210324100907/https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion)",
                        "jfrog_research_severity": "High",
                        "jfrog_research_severity_reasons": [
                            {
                                "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
                                "description": "An attacker must find remote input that propagates into the `Yaml.load()` method. Note that the issue can be exploited even if the `Yaml` class is initialized with a `SafeConstructor` or with a `Constructor` that accepts an explicit type only.",
                                "is_positive": true
                            },
                            {
                                "name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)",
                                "description": "It is highly likely that SnakeYAML will be used to parse externally-supplied YAML data.",
                                "is_positive": false
                            },
                            {
                                "name": "The issue has an exploit published",
                                "description": "PoC demonstrates denial of service.",
                                "is_positive": false
                            }
                        ],
                        "remediation": "##### Development mitigations\n\nWrap SnakeYAML's `load` method with exception handling -\n```java\ntry {\n\tString parsed = yaml.load(strYaml);\n}\ncatch(StackOverflowError e) {\n\tSystem.err.println(\"ERROR: Stack limit reached\");\n}\n```"
                    },
                    "applicability": ...,
                    "applicability_details": [
                        {
                            "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
                            "source_comp_id": "gav://org.yaml:snakeyaml:1.25",
                            "vulnerability_id": "CVE-2017-18640",
                            "result": "not_applicable"
                        }
                    ],
                    "component_physical_paths": [
                        "BOOT-INF/lib/snakeyaml-1.25.jar"
                    ]
                }
            ]
        }
    ]
}

Example Error Response:

{
  "artifacts": [],
  "errors": [
    {
      "identifier": "default/npm-local/moment-2.229.3.tar.gz",
      "error": "Artifact doesn't exist or not indexed/cached in Xray"
    }
  ]
}