Issue Types
Type | Issue | Severity | Code |
|---|---|---|---|
Vulnerability | All CVEs | Same as CVE severity | - |
License | No license specified | critical | 100 |
License | Not licensed for use | critical | 101 |
License | License not OSI approved | low | 102 |
License | License is deprecated | low | 103 |
License | Atypical license | high | 104 |
License | Invalid SPDX license | high | 105 |
License | Custom license expression | high | 106 |
License | License policy violations | Policy severity | 150/151 |
Meta | Deprecated package | high | 200 |
Meta | Uses install scripts | high | 201 |
Meta | Has no repository | moderate | 202 |
Meta | Has HTTP dependency | critical | 203 |
Meta | Has GIT dependency | critical | 204 |
Meta | Has file dependency | moderate | 205 |
Sandworm assigns unique ids to
license and meta type issues, via the sandwormIssueId issue property. Sandworm doesn't assign ids to vulnerabilities, as they already have a unique GitHub Advisory id, under github_advisory_id. All Sandworm-detected issues are also assigned a code - sandwormIssueCode - and an optional specifier - sandwormIssueSpecifier.Sandworm currently assigns license issues
1XX codes and meta issues 2xx codes.For most issues, the Sandworm id is a combination of issue code + package name + package version:
SWRM-102-spdx-license-ids-3.0.12
Some issue types might trigger more than once for a single package version, so they also append a specifier to the id:
SWRM-201install scripts issue is created once for each install script used - preinstall or postinstall - and generates ids likeSWRM-201-core-js-3.29.0-postinstallSWRM-203,SWRM-204, andSWRM-205are created once for each http/GIT/file dependency in a manifest, and generate ids likeSWRM-203-core-js-3.29.0-react
Last modified 14d ago