fix: update ecosystems, snyk API clients

snyk · Jan 24, 2025 · 1a7c051 · 1a7c051
1 parent cdc9a13
commit 1a7c051
Show file tree

Hide file tree

Showing 25 changed files with 8,546 additions and 1,698 deletions.
diff --git a/Makefile b/Makefile
@@ -31,8 +31,8 @@ cover:
 specs:
 	@curl --silent https://packages.ecosyste.ms/docs/api/v1/openapi.yaml -o specs/packages.yaml
 	@curl --silent https://repos.ecosyste.ms/docs/api/v1/openapi.yaml -o specs/repos.yaml
-	@curl --silent https://api.snyk.io/rest/openapi/2023-04-28~experimental -o specs/snyk-experimental.json
-	@curl --silent https://api.snyk.io/rest/openapi/2023-04-28 -o specs/snyk.json
+	@curl --silent https://api.snyk.io/rest/openapi/2024-06-26~experimental -o specs/snyk-experimental.json
+	@curl --silent https://api.snyk.io/rest/openapi/2024-06-26 -o specs/snyk.json
 
 clients: specs
 	@oapi-codegen -generate types,client -package packages specs/packages.yaml > ecosystems/packages/packages.go

diff --git a/ecosystems/packages/packages.go b/ecosystems/packages/packages.go
diff --git a/ecosystems/repos/repos.go b/ecosystems/repos/repos.go
diff --git a/go.mod b/go.mod
@@ -6,9 +6,10 @@ require (
 	github.com/CycloneDX/cyclonedx-go v0.9.0
 	github.com/deepmap/oapi-codegen v1.12.4
 	github.com/edoardottt/depsdev v0.0.3
-	github.com/google/uuid v1.3.0
+	github.com/google/uuid v1.5.0
 	github.com/hashicorp/go-retryablehttp v0.7.7
 	github.com/jarcoal/httpmock v1.3.0
+	github.com/oapi-codegen/runtime v1.1.1
 	github.com/package-url/packageurl-go v0.1.2
 	github.com/remeh/sizedwaitgroup v1.0.0
 	github.com/rs/zerolog v1.29.1
@@ -31,15 +32,15 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.9 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/afero v1.9.3 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -74,6 +74,7 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
 github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
@@ -136,14 +137,15 @@ github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
+github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
 github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -181,10 +183,12 @@ github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04
 github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/oapi-codegen/runtime v1.1.1 h1:EXLHh0DXIJnWhdRPN2w4MXAzFyE4CskzhNLUmtpMYro=
+github.com/oapi-codegen/runtime v1.1.1/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
 github.com/package-url/packageurl-go v0.1.2 h1:0H2DQt6DHd/NeRlVwW4EZ4oEI6Bn40XlNPRqegcxuo4=
 github.com/package-url/packageurl-go v0.1.2/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
-github.com/pelletier/go-toml/v2 v2.0.6 h1:nrzqCb7j9cDFj2coyLNLaZuJTLjWjlaz6nvTvIwycIU=
-github.com/pelletier/go-toml/v2 v2.0.6/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek=
+github.com/pelletier/go-toml/v2 v2.0.9 h1:uH2qQXheeefCCkuBBSLi7jCiSmj3VRh2+Goq2N7Xxu0=
+github.com/pelletier/go-toml/v2 v2.0.9/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -226,7 +230,6 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
@@ -388,8 +391,8 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

diff --git a/internal/utils/spdx.go b/internal/utils/spdx.go
@@ -32,7 +32,7 @@ func GetPurlFromSPDXPackage(pkg *spdx_2_3.Package) (*packageurl.PackageURL, erro
 	return &purl, nil
 }
 
-func GetSPDXLicenseExpressionFromEcosystemsLicense(data *packages.Version) string {
+func GetSPDXLicenseExpressionFromEcosystemsLicense(data *packages.VersionWithDependencies) string {
 	if data == nil || data.Licenses == nil || *data.Licenses == "" {
 		return ""
 	}

diff --git a/internal/utils/spdx_test.go b/internal/utils/spdx_test.go
@@ -12,7 +12,7 @@ import (
 func TestGetSPDXLicenseExpressionFromEcosystemsLicense(t *testing.T) {
 	assert := assert.New(t)
 	licenses := "GPLv2,MIT"
-	data := packages.Version{Licenses: &licenses}
+	data := packages.VersionWithDependencies{Licenses: &licenses}
 	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&data)
 	assert.Equal("(GPLv2 OR MIT)", expression)
 }
@@ -25,15 +25,15 @@ func TestGetSPDXLicenseExpressionFromEcosystemsLicense_NoData(t *testing.T) {
 
 func TestGetSPDXLicenseExpressionFromEcosystemsLicense_NoLicenses(t *testing.T) {
 	assert := assert.New(t)
-	data := packages.Version{}
+	data := packages.VersionWithDependencies{}
 	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&data)
 	assert.Equal("", expression)
 }
 
 func TestGetSPDXLicenseExpressionFromEcosystemsLicense_EmptyLicenses(t *testing.T) {
 	assert := assert.New(t)
 	licenses := ""
-	data := packages.Version{Licenses: &licenses}
+	data := packages.VersionWithDependencies{Licenses: &licenses}
 	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&data)
 	assert.Equal("", expression)
 }
diff --git a/lib/ecosystems/enrich_cyclonedx.go b/lib/ecosystems/enrich_cyclonedx.go
@@ -31,7 +31,7 @@ import (
 )
 
 type cdxPackageEnricher = func(*cdx.Component, *packages.Package)
-type cdxPackageVersionEnricher = func(*cdx.Component, *packages.Version)
+type cdxPackageVersionEnricher = func(*cdx.Component, *packages.VersionWithDependencies)
 
 var cdxPackageEnrichers = []cdxPackageEnricher{
 	enrichCDXDescription,
@@ -58,7 +58,7 @@ func enrichCDXDescription(comp *cdx.Component, data *packages.Package) {
 	}
 }
 
-func enrichCDXLicense(comp *cdx.Component, data *packages.Version) {
+func enrichCDXLicense(comp *cdx.Component, data *packages.VersionWithDependencies) {
 	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(data)
 	if expression != "" {
 		licenses := cdx.LicenseChoice{Expression: expression}

diff --git a/lib/ecosystems/enrich_cyclonedx_test.go b/lib/ecosystems/enrich_cyclonedx_test.go
@@ -191,7 +191,7 @@ func TestEnrichLicense(t *testing.T) {
 		Version: "v0.3.0",
 	}
 	lic := "BSD-3-Clause"
-	pack := &packages.Version{
+	pack := &packages.VersionWithDependencies{
 		Licenses: &lic,
 	}
 

diff --git a/lib/ecosystems/enrich_spdx.go b/lib/ecosystems/enrich_spdx.go
@@ -60,7 +60,7 @@ func enrichSPDX(bom *spdx.Document, logger *zerolog.Logger) {
 		}
 
 		pkgVersionData := packageVersionResp.JSON200
-		if pkgData == nil {
+		if pkgVersionData == nil {
 			continue
 		}
 
@@ -96,7 +96,7 @@ func enrichSPDXSupplier(pkg *v2_3.Package, data *packages.Package) {
 	}
 }
 
-func enrichSPDXLicense(pkg *v2_3.Package, data *packages.Version) {
+func enrichSPDXLicense(pkg *v2_3.Package, data *packages.VersionWithDependencies) {
 	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(data)
 	if expression != "" {
 		pkg.PackageLicenseConcluded = *data.Licenses

diff --git a/lib/ecosystems/repo.go b/lib/ecosystems/repo.go
@@ -29,7 +29,7 @@ func GetRepoData(url string) (*repos.RepositoriesLookupResponse, error) {
 	if err != nil {
 		return nil, err
 	}
-	params := repos.RepositoriesLookupParams{Url: url}
+	params := repos.RepositoriesLookupParams{Url: &url}
 	resp, err := client.RepositoriesLookupWithResponse(context.Background(), &params)
 	if err != nil {
 		return nil, err

diff --git a/lib/snyk/enrich_cyclonedx.go b/lib/snyk/enrich_cyclonedx.go
@@ -85,7 +85,7 @@ func enrichCycloneDX(cfg *Config, bom *cdx.BOM, logger *zerolog.Logger) *cdx.BOM
 	logger.Debug().Str("org_id", orgID.String()).Msg("Inferred Snyk organization ID")
 
 	var mutex = &sync.Mutex{}
-	vulnerabilities := make(map[cdx.Component][]issues.CommonIssueModelVTwo)
+	vulnerabilities := make(map[cdx.Component][]issues.CommonIssueModelVThree)
 	wg := sizedwaitgroup.New(20)
 
 	comps := utils.DiscoverCDXComponents(bom)

diff --git a/lib/snyk/enrich_spdx.go b/lib/snyk/enrich_spdx.go
@@ -92,7 +92,7 @@ func enrichSPDX(cfg *Config, bom *spdx.Document, logger *zerolog.Logger) *spdx.D
 
 	mutex := &sync.Mutex{}
 	wg := sizedwaitgroup.New(20)
-	vulnerabilities := make(map[*spdx_2_3.Package][]issues.CommonIssueModelVTwo)
+	vulnerabilities := make(map[*spdx_2_3.Package][]issues.CommonIssueModelVThree)
 
 	packages := bom.Packages
 	logger.Debug().Msgf("Detected %d packages", len(packages))

diff --git a/lib/snyk/package.go b/lib/snyk/package.go
@@ -88,7 +88,7 @@ func SnykVulnURL(cfg *Config, purl *packageurl.PackageURL) string {
 
 func GetPackageVulnerabilities(cfg *Config, purl *packageurl.PackageURL, auth *securityprovider.SecurityProviderApiKey, orgID *uuid.UUID, logger *zerolog.Logger) (*issues.FetchIssuesPerPurlResponse, error) {
 	client, err := issues.NewClientWithResponses(
-		cfg.SnykAPIURL,
+		cfg.SnykAPIURL+"/rest",
 		issues.WithRequestEditorFn(auth.Intercept),
 		issues.WithHTTPClient(getRetryClient(logger)))
 	if err != nil {

diff --git a/lib/snyk/self.go b/lib/snyk/self.go
@@ -18,7 +18,6 @@ package snyk
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -31,14 +30,10 @@ import (
 
 const experimentalVersion = "2023-04-28~experimental"
 
-type selfDocument struct {
-	Data struct {
-		Attributes users.User `json:"attributes,omitempty"`
-	}
-}
-
 func SnykOrgID(cfg *Config, auth *securityprovider.SecurityProviderApiKey) (*uuid.UUID, error) {
-	experimental, err := users.NewClientWithResponses(cfg.SnykAPIURL, users.WithRequestEditorFn(auth.Intercept))
+	experimental, err := users.NewClientWithResponses(
+		cfg.SnykAPIURL+"/rest",
+		users.WithRequestEditorFn(auth.Intercept))
 	if err != nil {
 		return nil, err
 	}
@@ -53,12 +48,12 @@ func SnykOrgID(cfg *Config, auth *securityprovider.SecurityProviderApiKey) (*uui
 		return nil, fmt.Errorf("Failed to get user info (%s).", self.HTTPResponse.Status)
 	}
 
-	var userInfo selfDocument
-	if err = json.Unmarshal(self.Body, &userInfo); err != nil {
+	user, err := self.ApplicationvndApiJSON200.Data.Attributes.AsUser20240422()
+	if err != nil {
 		return nil, err
 	}
 
-	if org := userInfo.Data.Attributes.DefaultOrgContext; org != nil {
+	if org := user.DefaultOrgContext; org != nil {
 		return org, nil
 	}
 

diff --git a/lib/snyk/testdata/no_issues.json b/lib/snyk/testdata/no_issues.json
@@ -4,7 +4,7 @@
   },
   "data": [],
   "links": {
-    "self": "/orgs/00000000-0000-0000-0000-000000000000/packages/pkg%3A/issues?version=2023-06-01&limit=1000&offset=0"
+    "self": "/orgs/00000000-0000-0000-0000-000000000000/packages/pkg%3A/issues?version=2024-06-26&limit=1000&offset=0"
   },
   "meta": {
     "package": {}

diff --git a/lib/snyk/testdata/numpy_issues.json b/lib/snyk/testdata/numpy_issues.json
@@ -7,11 +7,10 @@
       "id": "SNYK-PYTHON-NUMPY-73513",
       "type": "issue",
       "attributes": {
-        "key": "SNYK-PYTHON-NUMPY-73513",
         "title": "Arbitrary Code Execution",
         "type": "package_vulnerability",
         "created_at": "2019-01-16T14:11:37.000761Z",
-        "updated_at": "2022-09-01T16:21:50.298458Z",
+        "updated_at": "2024-03-11T09:53:52.032659Z",
         "description": "## Overview\n[numpy](https://github.com/numpy/numpy) is a fundamental package needed for scientific computing with Python.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a `numpy.load` call.\r\n\r\nPoC by nanshihui:\r\n```py\r\nimport numpy\r\nfrom numpy import __version__\r\nprint __version__\r\nimport os\r\nimport  pickle\r\nclass Test(object):\r\n    def __init__(self):\r\n        self.a = 1\r\n\r\n    def __reduce__(self):\r\n        return (os.system,('ls',))\r\ntmpdaa = Test()\r\nwith open(\"a-file.pickle\",'wb') as f:\r\n    pickle.dump(tmpdaa,f)\r\nnumpy.load('a-file.pickle')\r\n```\n## Remediation\nUpgrade `numpy` to version 1.16.3 or higher.\n## References\n- [GitHub Commit](https://github.com/numpy/numpy/commit/89b688732b37616c9d26623f81aaee1703c30ffb)\n- [GitHub Issue](https://github.com/numpy/numpy/issues/12759)\n- [GitHub PR](https://github.com/numpy/numpy/pull/13359)\n- [PoC](https://github.com/RayScri/CVE-2019-6446)\n",
         "problems": [
           {
@@ -34,42 +33,76 @@
                 }
               }
             ],
-            "representation": [
-              "[0,1.16.3)"
+            "representations": [
+              {
+                "resource_path": "[0,1.16.3)"
+              },
+              {
+                "package": {
+                  "name": "numpy",
+                  "version": "1.16.0",
+                  "type": "pypi",
+                  "url": "pkg:pypi/[email protected]"
+                }
+              }
             ]
           }
         ],
         "severities": [
           {
+            "type": "primary",
             "source": "Snyk",
             "level": "critical",
             "score": 9.8,
+            "version": "3.1",
             "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P"
           },
           {
+            "type": "secondary",
             "source": "NVD",
             "level": "critical",
             "score": 9.8,
+            "version": "3.0",
             "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
           },
           {
-            "source": "Red Hat",
-            "level": "high",
-            "score": 8.8,
-            "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
-          },
-          {
+            "type": "secondary",
             "source": "SUSE",
             "level": "high",
             "score": 7.8,
+            "version": "3.0",
             "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+          },
+          {
+            "type": "secondary",
+            "source": "Red Hat",
+            "level": "high",
+            "score": 8.8,
+            "version": "3.0",
+            "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
           }
         ],
         "effective_severity_level": "critical",
         "slots": {
           "disclosure_time": "2019-01-16T12:26:38Z",
-          "exploit": "Proof of Concept",
           "publication_time": "2019-01-16T13:50:50Z",
+          "exploit_details": {
+            "sources": [
+              "Snyk"
+            ],
+            "maturity_levels": [
+              {
+                "type": "primary",
+                "level": "Proof of Concept",
+                "format": "CVSSv4"
+              },
+              {
+                "type": "secondary",
+                "level": "Proof of Concept",
+                "format": "CVSSv3"
+              }
+            ]
+          },
           "references": [
             {
               "url": "https://github.com/numpy/numpy/commit/89b688732b37616c9d26623f81aaee1703c30ffb",
@@ -93,7 +126,7 @@
     }
   ],
   "links": {
-    "self": "/orgs/00000000-0000-0000-0000-000000000000/packages/pkg%3Apypi%2Fnumpy%401.16.0/issues?version=2023-06-01&limit=1000&offset=0"
+    "self": "/orgs/00000000-0000-0000-0000-000000000000/packages/pkg%3Apypi%2Fnumpy%401.16.0/issues?version=2024-06-26&limit=1000&offset=0"
   },
   "meta": {
     "package": {