Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

/rest/{version}/applications/{appId}/upload/multi

Descriptor

Value

HTTP Method

POST

Description

Uploads multiple files to the app with the given appId. If uploading the files as a single scan, the files must all be from the same scanner (such as all w3af scans).

Required Permission

Upload Scans

Version Introduced

2.3.0

Changes in 2.4.5

Starting with Version 2.4.5, this call adds the scans to the Scan Upload Queue, and returns an entirely different response.  The scans have not finished importing into an application at the time the call returns; if automation is using this call, make sure to use the legacy version or adjust the automation accordingly.

Changes in 2.5

The new Links section includes a link to the endpoint which can be hit to check the status of the scan after it’s been added to the queue.

Request Header Parameters

Parameter

Value

Required

Description

Accept

String

Yes

A value of ‘application/json’ must be provided.

Request POST Data Parameters

Parameter

Value

Required

Description

file

File

Yes

A scan to upload to the application in ThreadFix. This parameter can be used multiple times but must be used at least once.

bulkUpload

Boolean

No

Set to False if not provided.

True = Upload the files as separate scan files.

False = Upload the files as a single scan.

Sample Call:

Code Block
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST -F 'bulkUpload=false' -F file[]=@path/to/file/w3af-scan.xml -F file[]=@path/to/scanfile/w3af-scan2.xml http://localhost:8080/threadfix/rest/latest/applications/1/upload/multi

Sample Output (v2.4.5 through latest):

Code Block
{
    "message": "",
    "success": true,
    "responseCode": -1,
    "object": "Scan upload process started.",
    "links": [
        {
            "method": "GET",
            "rel": "related",
            "href": "http://localhost:8080/threadfix/rest/applications/1/pendingScan/3/status"
        }
    ]
}

Sample Output (legacy through v2.4.2.1):

Values for importTime are returned as Epoch time in milliseconds.

Code Block
{
    "message": "",
    "success": true,
    "responseCode": -1,
    "object": {
        "id": 3,
        "importTime": 1309962639000,
        "numberClosedVulnerabilities": 0,
        "numberNewVulnerabilities": 13,
        "numberOldVulnerabilities": 0,
        "numberResurfacedVulnerabilities": 0,
        "numberTotalVulnerabilities": 13,
        "numberRepeatResults": 0,
        "numberRepeatFindings": 0,
        "numberInfoVulnerabilities": 2,
        "numberLowVulnerabilities": 0,
        "numberMediumVulnerabilities": 6,
        "numberHighVulnerabilities": 5,
        "numberCriticalVulnerabilities": 0,
        "findings": [
            {
                "id": 5,
                "longDescription": null,
                "attackString": null,
                "attackRequest": "",
                "attackResponse": "",
                "nativeId": "b0f20dd0cf08dbea8da5744fcbdd1ebf",
                "displayId": null,
                "surfaceLocation": {
                    "id": 5,
                    "parameter": "username",
                    "path": "/demo/SQLI2.php"
                },
                "sourceFileLocation": null,
                "dataFlowElements": null,
                "calculatedUrlPath": "/demo/SQLI2.php",
                "calculatedFilePath": "",
                "dependency": null,
                "vulnerabilityType": "SQL injection vulnerability",
                "severity": "High"
            },
 
…{items omitted for brevity}…
 
            {
                "id": 19,
                "longDescription": null,
                "attackString": null,
                "attackRequest": "",
                "attackResponse": "",
                "nativeId": "6b689bcc7e473e60f859d3ebfca19bf0",
                "displayId": null,
                "surfaceLocation": {
                    "id": 19,
                    "parameter": "cookie",
                    "path": "/demo/XSS-cookie.php"
                },
                "sourceFileLocation": null,
                "dataFlowElements": null,
                "calculatedUrlPath": "/demo/XSS-cookie.php",
                "calculatedFilePath": "",
                "dependency": null,
                "vulnerabilityType": "Permanent cross site scripting vulnerability",
                "severity": "High"
            }
        ],
        "scannerName": "w3af"
    }
}

Page Tree
rootScans 3.0 API