Issue Types
Detected issue types
| Type | Issue | Severity | Code |
|---|---|---|---|
Vulnerability | All CVEs | Same as CVE severity | - |
License | No license specified |
| 100 |
License | Not licensed for use |
| 101 |
License | License not OSI approved |
| 102 |
License | License is deprecated |
| 103 |
License | Atypical license |
| 104 |
License | Invalid SPDX license |
| 105 |
License | Custom license expression |
| 106 |
License | License policy violations | Policy severity | 150/151 |
Meta | Deprecated package |
| 200 |
Meta | Uses install scripts |
| 201 |
Meta | Has no repository |
| 202 |
Meta | Has HTTP dependency |
| 203 |
Meta | Has GIT dependency |
| 204 |
Meta | Has file dependency |
| 205 |
Sandworm issue ids
Sandworm assigns unique ids to license and meta type issues, via the sandwormIssueId issue property. Sandworm doesn't assign ids to vulnerabilities, as they already have a unique GitHub Advisory id, under github_advisory_id. All Sandworm-detected issues are also assigned a code - sandwormIssueCode - and an optional specifier - sandwormIssueSpecifier.
Sandworm currently assigns license issues 1XX codes and meta issues 2xx codes.
For most issues, the Sandworm id is a combination of issue code + package name + package version:
Some issue types might trigger more than once for a single package version, so they also append a specifier to the id:
SWRM-201install scripts issue is created once for each install script used - preinstall or postinstall - and generates ids likeSWRM-201-core-js-3.29.0-postinstallSWRM-203,SWRM-204, andSWRM-205are created once for each http/GIT/file dependency in a manifest, and generate ids likeSWRM-203-core-js-3.29.0-react
Last updated