Search all resources (Artifacts, Builds, Release Bundles, etc.) that include a specific package or are impacted by a specific vulnerability (CVE or XRAY ID). Supports three search modes: by vulnerability, by package version, or by package name & type.
SBOM Requirement: This capability depends on the SBOM Service. Self-Hosted users must enable the SBOM feature and complete the SBOM migration. If SBOM is disabled, the API returns 403 – "SBOM is disabled".
Pagination: Use last_key from the response to fetch subsequent pages; an empty last_key indicates no further results.
Limit: Defaults to 1000; maximum 10000; 0 means 1000.
ID Formats: CVE format CVE-YYYY-NNNN; XRAY format XRAY-N.
Applicable Environment: JFrog SaaS, JFrog Self-Hosted
Consumes: N/A (GET with query parameters)
Produces: application/json
Query parameters:
*Search Mode Requirements:
Mode 1 — By Vulnerability: vulnerability is required.
Mode 2 — By Package Version: name and type are required; version is optional (recommended for exact version search).
Mode 3 — By Package (all versions): name and type are required; omit version.
Response body:
Response Codes:
Sample Requests & Responses:
Search by Vulnerability (CVE)
Sample Response (200 OK)
Search by Vulnerability (XRAY ID)
Search by Package Version
Sample Response (200 OK)
Search by Package (All Versions)
Pagination Example
Error Response Examples