Vulnerabilities API

Actions in the vulnerabilities namespace of the Nexigon Hub API.

`vulnerabilities_IndexVersion`

POST /api/v1/actions/invoke/vulnerabilities_IndexVersion

Trigger indexing of every CycloneDX document referenced by the version's artifact assets via relations.{sbom,vdr,vex}.

The hub fetches the referenced documents from the repository's S3 storage and rebuilds the index for this version. The repository must have S3 configured.

Request IndexVersionDocumentsAction

Fields (JSON object)

versionId (from version_id) required

PackageVersionId string

Response IndexVersionDocumentsOutput

Fields (JSON object)

indexed required
Whether indexing actually ran (false when the feature flag is off or the version has no artifacts with relations.* metadata).

boolean
artifactCount (from artifact_count) required
Number of artifact assets whose documents were indexed.

integer
documentCount (from document_count) required
Total number of documents (SBOM + VDR + VEX) ingested.

integer

`vulnerabilities_IndexPackage`

POST /api/v1/actions/invoke/vulnerabilities_IndexPackage

Trigger indexing of every CycloneDX document referenced by the package's metadata via relations.{vex} (typically just VEX).

Mirrors IndexVersionDocumentsAction. Used after attaching a new package-level VEX asset and pointing the package's metadata at it.

Request IndexPackageDocumentsAction

Fields (JSON object)

packageId (from package_id) required

PackageId string

Response IndexPackageDocumentsOutput

Fields (JSON object)

indexed required

boolean
documentCount (from document_count) required

integer

`vulnerabilities_GetVersionOverview`

POST /api/v1/actions/invoke/vulnerabilities_GetVersionOverview

Get the vulnerability overview for a package version: artifact list, SBOM/VDR/VEX descriptors per artifact, package-level VEX, and (when indexing is enabled) the rolled-up severity summary.

Request GetVersionVulnerabilityOverviewAction

Fields (JSON object)

versionId (from version_id) required

PackageVersionId string

Response GetVersionVulnerabilityOverviewOutput

Fields (JSON object)

versionId (from version_id) required

PackageVersionId string
indexingEnabled (from indexing_enabled) required
Whether the indexing feature is enabled for this organization.

boolean
artifacts required
Per-artifact descriptors. Populated by walking each artifact's relations.{sbom,vdr,vex} metadata.
array<ArtifactDescriptor>
Items
ArtifactDescriptor
Fields (JSON object)
assetId (from asset_id) required

RepositoryAssetId string

filename required

string

sbom optional
SBOM document (the first valid relations.sbom entry).

AttachedDocument

Fields (JSON object)
assetId (from asset_id) required

RepositoryAssetId string

repositoryId (from repository_id) required

RepositoryId string

filename required

string

size required

integer (i64)

vdrs required
All VDR documents referenced from relations.vdr.

array<AttachedVdrDocument>

Items

AttachedVdrDocument

Fields (JSON object)
document required

AttachedDocument

Fields (JSON object)
assetId (from asset_id) required

RepositoryAssetId string

repositoryId (from repository_id) required

RepositoryId string

filename required

string

size required

integer (i64)

sourceTool (from source_tool) optional

string

severitySummary (from severity_summary) optional

SeveritySummary

Fields (JSON object)
critical required

integer

high required

integer

medium required

integer

low required

integer

info required

integer

unknown required

integer

vex required
All VEX documents referenced from relations.vex.

array<AttachedVexDocument>

Items

AttachedVexDocument

Fields (JSON object)
document required

AttachedDocument

Fields (JSON object)
assetId (from asset_id) required

RepositoryAssetId string

repositoryId (from repository_id) required

RepositoryId string

filename required

string

size required

integer (i64)

origin required

VexStatementOrigin

Cases externally
Operator
Statement authored by the operator triaging in their own organization.

Value: "Operator"
Vendor
Statement supplied by the upstream vendor of the affected component.

Value: "Vendor"
Scanner
Default state assumed by a scanner (typically in_triage).

Value: "Scanner"

statementCount (from statement_count) optional

integer

severitySummary (from severity_summary) optional
Severity rollup from this artifact's VDRs after VEX is applied.

SeveritySummary

Fields (JSON object)
critical required

integer

high required

integer

medium required

integer

low required

integer

info required

integer

unknown required

integer

componentCount (from component_count) optional
Number of components extracted from this artifact's SBOM.

integer
packageVex (from package_vex) required
VEX documents inherited from the parent package's relations.vex.
array<AttachedVexDocument>
Items
AttachedVexDocument
Fields (JSON object)
document required

AttachedDocument

Fields (JSON object)
assetId (from asset_id) required

RepositoryAssetId string

repositoryId (from repository_id) required

RepositoryId string

filename required

string

size required

integer (i64)

origin required

VexStatementOrigin

Cases externally
Operator
Statement authored by the operator triaging in their own organization.

Value: "Operator"
Vendor
Statement supplied by the upstream vendor of the affected component.

Value: "Vendor"
Scanner
Default state assumed by a scanner (typically in_triage).

Value: "Scanner"

statementCount (from statement_count) optional

integer
severitySummary (from severity_summary) optional
Severity counts across the union of all artifact VDRs after VEX is applied. Not set when indexing is disabled.
SeveritySummary
Fields (JSON object)
- critical required
  
  integer
- high required
  
  integer
- medium required
  
  integer
- low required
  
  integer
- info required
  
  integer
- unknown required
  
  integer
componentCount (from component_count) optional
Total component count across all artifact SBOMs (including duplicates if the same component is referenced from several artifacts). Not set when indexing is disabled.

integer

`vulnerabilities_QueryComponents`

POST /api/v1/actions/invoke/vulnerabilities_QueryComponents

Query the components extracted from a package version's SBOMs.

Request QueryPackageVersionComponentsAction

Fields (JSON object)

versionId (from version_id) required

PackageVersionId string
artifactFilename (from artifact_filename) optional
Optional filter: only include components from this artifact's SBOM.

string
search optional
Optional case-insensitive substring filter over name / purl / license.

string
componentType (from component_type) optional
Optional component-type filter (e.g. library, application).

string

Response QueryPackageVersionComponentsOutput

Fields (JSON object)

indexingEnabled (from indexing_enabled) required

boolean
components required
array<PackageVersionComponent>
Items
PackageVersionComponent
Fields (JSON object)
artifactFilename (from artifact_filename) required
Filename of the artifact asset whose SBOM this component came from.

string

bomRef (from bom_ref) required

string

purl optional

string

name required

string

version optional

string

type (from kind) required

string

licenses required

array<string>

Items

string

supplier optional

string

description optional

string

vulnSummary (from vuln_summary) optional
Vulnerability counts after VEX application.

SeveritySummary

Fields (JSON object)
critical required

integer

high required

integer

medium required

integer

low required

integer

info required

integer

unknown required

integer

`vulnerabilities_QueryFindings`

POST /api/v1/actions/invoke/vulnerabilities_QueryFindings

Request QueryPackageVersionFindingsAction

Fields (JSON object)

versionId (from version_id) required

PackageVersionId string
artifactFilename (from artifact_filename) optional
Optional artifact-filename filter.

string
minSeverity (from min_severity) optional
Optional severity floor.

string

Response QueryPackageVersionFindingsOutput

Fields (JSON object)

indexingEnabled (from indexing_enabled) required

boolean
findings required
array<PackageVersionFinding>
Items
PackageVersionFinding
Fields (JSON object)
artifactFilename (from artifact_filename) required

string

componentPurl (from component_purl) required

string

componentName (from component_name) required

string

componentVersion (from component_version) optional

string

vulnerabilityId (from vulnerability_id) required

string

severity required

string

cvssScore (from cvss_score) optional

number

description optional

string

sourceTool (from source_tool) optional

string

effectiveState (from effective_state) required
Effective VEX state. Defaults to in_triage when no statement applies.

string

justification optional

string

detail optional

string

stateOrigin (from state_origin) optional

VexStatementOrigin

Cases externally
Operator
Statement authored by the operator triaging in their own organization.

Value: "Operator"
Vendor
Statement supplied by the upstream vendor of the affected component.

Value: "Vendor"
Scanner
Default state assumed by a scanner (typically in_triage).

Value: "Scanner"