Issue Types

Detected issue types

Type

Issue

Severity

Code

Vulnerability

All CVEs

Same as CVE severity

License

No license specified

critical

100

License

Not licensed for use

critical

101

License

License not OSI approved

low

102

License

License is deprecated

low

103

License

Atypical license

high

104

License

Invalid SPDX license

high

105

License

Custom license expression

high

106

License

License policy violations

Policy severity

150/151

Meta

Deprecated package

high

200

Meta

Uses install scripts

high

201

Meta

Has no repository

moderate

202

Meta

Has HTTP dependency

critical

203

Meta

Has GIT dependency

critical

204

Meta

Has file dependency

moderate

205

Sandworm issue ids

Sandworm assigns unique ids to license and meta type issues, via the sandwormIssueId issue property. Sandworm doesn't assign ids to vulnerabilities, as they already have a unique GitHub Advisory id, under github_advisory_id. All Sandworm-detected issues are also assigned a code - sandwormIssueCode - and an optional specifier - sandwormIssueSpecifier.

Sandworm currently assigns license issues 1XX codes and meta issues 2xx codes.

For most issues, the Sandworm id is a combination of issue code + package name + package version:

SWRM-102-spdx-license-ids-3.0.12

Some issue types might trigger more than once for a single package version, so they also append a specifier to the id:

SWRM-201 install scripts issue is created once for each install script used - preinstall or postinstall - and generates ids like SWRM-201-core-js-3.29.0-postinstall
SWRM-203, SWRM-204, and SWRM-205 are created once for each http/GIT/file dependency in a manifest, and generate ids like SWRM-203-core-js-3.29.0-react

PreviousConfiguration NextResolved Issues

Last updated 1 year ago