Skip to main content

Can I Get Sonatype's List of All OSS Components Affected by a Vulnerability ID?

Updated

Overview

Customers sometimes ask:

"Can Sonatype give me a complete list of every component or version affected by vulnerability X (CVE or SONATYPE ID)?"

Sonatype core products do not expose bulk exports of all globally affected components for a vulnerability because our tools first focus on the question that matters:

"Does this vulnerability appear in my applications, SBOMs, repositories, and images?"

However, Sonatype Guide is a separate research tool that lets you look up a vulnerability and see the list of components currently associated with it, but it is not a replacement for scanning and monitoring your own environment.

This article further explains our rationale and design.

Why a Global "All Components" List Doesn’t Exist

Proprietary, Continuously Updated Data

Sonatype’s intelligence lives in hosted data services that power Lifecycle, Repository Firewall, SBOM Manager, and other products. It is built through automated and human research across sources such as NVD, GHSA, vendor advisories, and direct discovery. It is not exposed as a public "dump everything" API.

There is no supported method to retrieve "all vulnerable components worldwide for vulnerability X." Product APIs and searches are scoped to your organization’s data, not to Sonatype’s entire dataset. See Advanced Search and its documented limitations.

Static Lists Become Outdated Immediately

Vulnerability data changes as new packages are found, ranges are refined, and errors are corrected. In large events, thousands of components can be implicated or later cleared.

  • Any one-time CSV will miss new or reclassified items.
  • Snapshots quickly diverge from live product results.

See identifier updates and removals and data sources and research.

Global Lists Create Noise, Not Insight

Massive spreadsheets encourage manual hunting instead of targeted analysis. They also cause confusion when they disagree with current scans. Sonatype Support does not create or maintain global exports per vulnerability.

How to Find Impacted Components in Your Environment

Lifecycle

  • Advanced Search: query by vulnerability ID (for example, vulnerabilityId:CVE-2020-28052 or vulnerabilityId:SONATYPE-2024-013111). See Advanced Search and how to find affected applications.
  • Advanced Search REST API: export matching results as CSV for automation. See API docs.
  • Dashboards: the Security Risk Breakdown shows vulnerabilities and impacted applications. See dashboard docs.

SBOM Manager

  • Import and analyze SBOMs with Sonatype intelligence.
  • Use SBOM Advanced Search and the SBOM Manager API to find which SBOMs and components contain a vulnerability. See SBOM search and SBOM Manager API.

Repository Firewall

  • Quarantines inbound components that violate security or malicious-package policies.
  • Use the dashboard and REST APIs to list quarantined or evaluated components and filter by vulnerability ID. See Firewall dashboard and Firewall APIs.
  • For cached malware already in Nexus Repository 3, use the Malware Risk dashboard and Automatic Malware Management task (with optional Enable Malware Cleanup) to identify and remove malicious components from proxy repositories. See Malware Risk and the Guide to Removing Malware.

Sonatype Container

  • Scans container images and OS packages for known vulnerabilities, focusing on where issues exist in your images.
  • Background on public data handling for CPE-based items is in Sonatype vulnerability data.

Using Sonatype Guide for Research

With the launch of Sonatype Guide, you can now:

  • Look up a vulnerability by ID (for example, a CVE or SONATYPE ID) and see the list of components our data currently associates with that vulnerability.
  • Use the Guide API to retrieve affected components for automation (for example, the getVulnerabilityAffectedComponents operation).

Guide is intended for research and planning. You should still use Lifecycle, SBOM Manager, Repository Firewall, and Sonatype Container to determine where those components actually appear in your own applications, SBOMs, repositories, and images. Using Guide

Key Takeaways

  • Sonatype core products (Lifecycle, Repository Firewall, SBOM Manager, Container) do not provide a bulk export of all globally affected components for a given vulnerability ID.
  • Sonatype Guide provides a separate research experience where you can look up a vulnerability and see the list of components our data currently associates with that vulnerability. [Using Guide]
  • Static global lists are unreliable and stale by design, but can help with general research.
  • Use Lifecycle Advanced Search and dashboards, SBOM Manager search and APIs, Repository Firewall dashboards, APIs and Malware detections, and Container scans to pinpoint your own real exposure.
  • For fast-moving events, re-evaluate key assets using these features to stay current.

Related articles