Big Cranium Logo White.png
TrainingHelp Center
Find the insights and best practices about our product.
General
FAQs
System & Network Requirements
Getting Started
My AI Dashboard Overview
Release Notes
2026.4.2 Release Notes
2026.4.1 Release Notes
2026.3.1 Release Notes
2026.2.2 Release Notes
2026.2.1 Release Notes
2026.1.1 Release Notes
2025.12.1 Release Notes
2025.11.1 Release Notes
2025.10.3 Release Notes
2025.10.1 Release Notes
2025.9.1 Release Notes
2025.8.1 Release Notes
2025.7.1 Release Notes
2025.4.1 Release Notes
2025.3.1 Release Notes
2025.1.1 Release Notes
2024.12.1 Release Notes
AI Manager
My AI Systems
My AI Systems Overview
AI System Details Overview
Adding a New AI System
Self-Attesting to a Compliance Framework
Compliance Scoring
Compliance Agent [Beta]
My AI Supply Chain
Supply Chain Overview
Managing Outgoing AI Card Requests
Responding to an AI Card Request
Publishing an AI Card Without a Request
My Vendors Overview
Artifacts
Bill of Materials
Bill of Materials Overview
Creating a Bill of Materials with CodeSensor
Self-Attest to a Bill of Materials
AgentSensor Overview
Technology Search Overview
Document Library
Document Library Overview
Vulnerability Management
Arena Shield
Arena Shield Overview
Shield YAML Implementation Guide
Arena
AI Arena Overview
Vulnerability Assessment
Vulnerability Management
Vulnerability Assessment Overview
Accessing a Vulnerability Assessment
Adversarial Inputs Detector
Vulnerabilities Overview
Settings
User Manager Overview
Detect AI
Integrations
Accessing a Private VCS
Registering SSH for CodeSensor
Integrating Bitbucket with Cranium
Integrating GitHub with Cranium
Integrating GitLab with Cranium
Integrating Azure DevOps with Cranium
Continuous Monitoring Overview
VCS Service Rate Limits
CloudSensor
CloudSensor Overview
Public API
Public API Overview
Authentication & Generating Credentials
Pagination & Incremental Sync
Rate Limits & Error Handling
Endpoint Reference
Bills of Materials
Technology Vulnerabilities
Arena Models
Arena Model Vulnerabilities
Home
Public API
Endpoint Reference
Technology Vulnerabi...
Technology Vulnerabilities

The Technology Vulnerabilities endpoint returns package-level CVE and GHSA findings across all BOMs in your tenant. This is the primary sync feed for customers integrating with vulnerability management tools such as ServiceNow VR or Avalar.

This endpoint covers technology vulnerabilities only. For model vulnerabilities (Arena attack categories), see Endpoint Reference: Arena Model Vulnerabilities.

List Technology Vulnerabilities

Returns a paginated list of technology vulnerabilities detected in the tenant's BOMs.

Request:

GET /api/public/vulnerabilities

Authorization:

Bearer token. See Authentication & Generating Credentials.


Query parameters:

Response record:

json

{
	"uniqueId": "string", 
	"knownVulnerabilityId": "guid", 
	"billOfMaterialsId": "guid", 
	"billOfMaterialsName": "my-ml-service", 
	"aiSystemIds": ["guid"], 
	"packageName": "numpy", 
	"packageVersion": "1.21.0", 
	"issueId": "CVE-2024-1234", 
	"summary": "Buffer overflow in numpy array handling", 
	"source": "OSV", 
	"sourceUrl": "https://osv.dev/...", 
	"cvssSeverity": "Critical | High | Medium | Low | None", 
	"cvssScore": 9.8, 
	"fixedVersion": "1.24.0", 
	"discoveryDate": "2026-01-10T08:00:00Z", 
	"resolvedDate": "2026-04-01T00:00:00Z | null", 
	"resolvedStatus": "Resolved | Ignored | null", 
	"updatedAt": "2026-04-01T00:00:00Z"
}

Field Definitions

  • uniqueId: Stable composite identifier of the form {billOfMaterialsItemId}-{knownVulnerabilityId}. Use this as an opaque deduplication and correlation key in downstream systems. The same vulnerability detected across multiple scans returns the same uniqueId. This value matches the UniqueId column in CSV vulnerability exports, allowing direct correlation between API records and exported reports.
  • knownVulnerabilityId: Cranium's identifier for the underlying known vulnerability.
  • billOfMaterialsId: Identifier of the BOM in which the vulnerability was detected. Correlates with billOfMaterialsId on the Bills of Materials endpoint.
  • billOfMaterialsName: Display name of the BOM, included for convenience so that downstream systems do not need to join against the BOM endpoint to surface a human-readable name.
  • aiSystemIds: Array of AI System identifiers to which the parent BOM belongs. A BOM can be associated with multiple AI Systems. The array is empty when the BOM has not been assigned to any AI System.
  • packageName: Name of the affected package or library.
  • packageVersion: Version of the package detected in the BOM.
  • issueId: Public vulnerability identifier (for example, a CVE number).
  • summary: Description of the vulnerability and its impact.
  • source: Source of the vulnerability information (for example, OSV).
  • sourceUrl: URL to the original advisory in the source database.
  • cvssSeverity: CVSS severity classification. One of Critical, High, Medium, Low, None.
  • cvssScore: CVSS base score. Range 0.0 to 10.0. May be null when no score is available.
  • fixedVersion: Version in which the vulnerability is fixed, when known.
  • discoveryDate: Timestamp at which the vulnerability was first detected. ISO 8601 format.
  • resolvedDate: Timestamp at which the vulnerability was marked as resolved or ignored. Null when the vulnerability has not been acted on. ISO 8601 format.
  • resolvedStatus: Current resolution status. Resolved means the vulnerability was marked as fixed or accepted. Ignored means it was acknowledged but intentionally not remediated. Null when the vulnerability has not been acted on.
  • updatedAt: The later of the discovery date and the resolution date. ISO 8601 format. This is the field the sync cursor tracks. The value advances when a vulnerability is discovered or when its status changes (for example, marked resolved or ignored). Incremental sync surfaces both new vulnerabilities and status changes on existing ones.

Notes on Resolution

resolvedStatus reflects user-actioned resolution only. Vulnerabilities that disappear from subsequent scans because a package was updated or removed are not automatically marked as resolved. They will remain in the feed with resolvedStatus: null until a user explicitly resolved them in Cranium. Tracking scan-based resolution is a planned product capability outside the scope of the current release.

Did this answer your question?
Related Articles
Arena Model Vulnerabilities
Arena Models
Public API Overview
Authentication & Generating Credentials
Rate Limits & Error Handling
Bills of Materials