Response Field Reference
Complete reference for every field returned by GET /v1/check. All risk decisions are deterministic — the same product and version always returns the same result given the same underlying data.
{
"product": "log4j",
"version": "2.14.1",
"supported": true,
"risk_state": "critical",
"risk_factors": [
"active_exploitation",
"remote_code_execution",
"no_authentication_required",
"internet_exposed_service",
"patch_available"
],
"actively_exploited": true,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "2.17.1",
"confidence": 0.94,
"cve_ids": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"],
"last_updated": "2026-02-23T18:21:30Z"
}supportedbooleanWhether attestd has coverage data for this product. If false, the response contains only this field and no other risk data.
supported: false is not a safety signal. It means attestd has no data for this product — not that the product is free of vulnerabilities. See outside coverage below for handling guidance.risk_state"critical" | "high" | "elevated" | "low" | "none"Deterministic risk classification for the queried version. Values in severity order from highest to lowest:
critical | actively_exploited = true for any CVE in matching ranges |
high | remote_exploitable = true AND authentication_required = false |
elevated | remote_exploitable = true AND authentication_required = true |
low | local-only or low-impact vulnerability |
none | no known CVEs affect the queried version |
When multiple CVE version ranges match the queried version, the highest severity across all matching ranges is returned. See multi-range aggregation.
risk_factorsstring[]The reasons behind the risk_state classification. An empty array means no relevant risk factors were identified (typical for none).
active_exploitation | actively_exploited = true |
remote_code_execution | remote_exploitable = true |
no_authentication_required | (actively_exploited OR remote_exploitable) AND authentication_required = false |
internet_exposed_service | remote_exploitable = true AND authentication_required = false |
patch_available | patch_available = true |
actively_exploitedbooleanWhether any CVE affecting this version is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. KEV membership means exploitation has been observed in the wild.
When multiple version ranges match: true if any matching range has an actively-exploited CVE.
remote_exploitablebooleanWhether the vulnerability can be exploited over a network without requiring local access to the target host.
When multiple version ranges match: true if any matching range has a remotely-exploitable CVE.
authentication_requiredbooleanWhether exploitation requires valid credentials on the target system. false means at least one CVE has an unauthenticated attack path.
true only if ALL matching ranges require authentication. A single unauthenticated CVE sets this to false for the whole response. This reflects the real-world threat model: one unauthenticated exploit path is sufficient for an attacker.patch_availablebooleanWhether a fixed version is available for this product. true means upgrading to fixed_version resolves all known risks in the queried version.
fixed_versionstring | nullThe earliest version that resolves all CVEs affecting the queried version. null if no patch is available or the product has no known affected CVEs (risk_state: "none").
confidencenumber (0.0–1.0)Signal confidence score reflecting the quality and corroboration of the underlying data.
≥ 0.7 | LLM-extracted facts, high corroboration |
0.5 | DB-derived fallback (LLM unavailable or returned invalid output) |
When multiple version ranges match: the minimum confidence across all matching rows is returned. A low-confidence result on any range lowers the overall confidence score.
cve_idsstring[]The CVE identifiers that contributed to this risk assessment. Empty for risk_state: "none".
When multiple version ranges match, this is the union of all CVE IDs across all matching rows.
last_updatedISO 8601 datetime stringThe UTC timestamp of the most recent synthesis run that produced this result. Pairs with the X-Attestd-Knowledge-Age response header.
When multiple version ranges match: the most recent timestamp across all matching rows.
X-Attestd-Knowledge-Age
Every response includes this header. It represents the elapsed time since the risk data was last synthesized, in human-readable form.
| Example value | Meaning |
|---|---|
15m | Data refreshed 15 minutes ago — very fresh |
4h30m | Data refreshed 4.5 hours ago — within normal 6-hour sync cycle |
1d2h | Data older than 24 hours — check /health if unexpected |
The NVD feed and CISA KEV catalog are ingested every 6 hours. Responses may be up to cache_ttl_seconds (default 1 hour) stale due to in-memory caching. For time-sensitive decisions, use last_updated to assess data freshness directly.
Multi-range aggregation
A single product version may be covered by multiple CVE version ranges — for example, log4j 2.14.1 is affected by both CVE-2021-44228 (Log4Shell) and CVE-2021-45046. When this happens, attestd merges the results using worst-case semantics:
| Field | Aggregation rule |
|---|---|
risk_state | Highest severity across all matching ranges |
actively_exploited | true if any matching range has actively_exploited = true |
remote_exploitable | true if any matching range has remote_exploitable = true |
authentication_required | true only if ALL matching ranges have authentication_required = true |
patch_available | true if any matching range has patch_available = true |
confidence | Minimum confidence across all matching ranges |
last_updated | Most recent timestamp across all matching ranges |
cve_ids | Union of all CVE IDs across all matching ranges |
Outside coverage
If the requested product is not in attestd's supported set, the response is:
{
"supported": false
}In the Python SDK, an unsupported product raises attestd.AttestdUnsupportedProductError. See the SDK reference for handling guidance.