Summary
This article explains how to use Sonatype Guide to research the list of open source components affected by a specific vulnerability ID (for example, a CVE) and how this complements our existing guidance for finding impacted components in your own environment.
Explanation
Our products (Lifecycle, Repository Firewall, SBOM Manager, Container) are designed to answer the question “Where does this vulnerability appear in my applications, SBOMs, repositories, and images?” and do not provide a bulk export of all globally affected components directly from those products. For that reason, we previously stated that Sonatype does not expose a global “dump everything” API for all components affected by a vulnerability ID from within Lifecycle or related products.
With the launch of Sonatype Guide, we now provide a separate research experience where you can look up a vulnerability and see the list of components that our data currently associates with that vulnerability. This is intended for research and planning, and does not replace product scans or continuous monitoring in your own environment.
Using Sonatype Guide for Vulnerability Research
Sonatype Guide is an AI-first product that exposes our component and vulnerability intelligence through a web UI and API, including a dedicated vulnerability view and affected-components listing. You can access Guide at https://guide.sonatype.com.
- From the Guide UI, search for a vulnerability by ID (for example, CVE-2025-55182) using the global search or the Vulnerabilities view. Research with Sonatype Guide
- On the vulnerability detail page, Guide shows the list of affected components for that vulnerability. For example, the React2Shell vulnerability can be viewed at https://guide.sonatype.com/vulnerability/CVE-2025-55182.
Guide’s data is continuously updated from the same research sources that power our products, but it is a research tool and not a substitute for scanning your own applications and repositories.
How This Complements Product-Based Searches
For identifying where a vulnerability affects your environment, you should continue to use the existing product capabilities described in this article:
-
Lifecycle: Use Advanced Search by
vulnerabilityId:and the Advanced Search REST API to find affected applications and components in your stages. Advanced Search - SBOM Manager: Use SBOM Advanced Search and the SBOM Manager API to find SBOMs and components containing a vulnerability. SBOM search
- Repository Firewall: Use the Firewall dashboard and APIs, as well as Malware Risk and Automatic Malware Management, to identify and manage vulnerable or malicious components in proxy repositories. Firewall dashboard
- Sonatype Container: Scan container images and OS packages to see where vulnerabilities appear in your images. Sonatype vulnerability data
In practice, you can use Sonatype Guide to understand the broader universe of components associated with a vulnerability, then use Lifecycle, SBOM Manager, Repository Firewall, or Container to determine which of those components actually appear in your own applications, SBOMs, repositories, or images.