Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
/rest/{version}/vulnerabilities
Descriptor | Value |
|---|---|
HTTP Method | POST |
Description | Returns a filtered list of vulnerabilities. |
Required Permission | Read Access (Any Role) |
Version Introduced | 2.3.0 |
Changes in 2.4.0 | Adds new fields to dependency Check Vulnerabilities |
Changes in 2.5.1 | Adds "displayName" field to "genericSeverity" in response. This field is present when using any previous REST version as well. Adds "findingRecommendation" and "findingDescription" fields in response. These are only present when using version 2.5.1 or later. |
Changes in 2.5.2 | Adds "vulnerabilityComments.comment" and "vulnerabilityComments.tags" fields in response. These fields are present when using any previous REST version as well. Adds "vulnerabilityComments.user" field in response. This field is only present when using version 2.5.2 or later. Adds ability to get vulnerability information by entering a serialized list of vulnerability IDs. |
Changes in 2.7 | Adds ability to get vulnerability information by entering a serialized list of CVE IDs. Adds 8 new parameters to help query by vulnerability status: showNotFalsePositive, showNotHidden, showExploitable, showNotExploitable, showContested, showNotContested, showVerified, and showNotVerified. These parameters only work if using the 2.7 REST version or later. Starting with REST version 2.7 the status query logic is altered; ThreadFix only filters vulnerabilities based on the parameters the user provides. To see open vulnerabilities without False Positives and Hidden vulns returned, the user will need to specify "showOpen=true", "showNotFalsePositive=true", and "showNotHidden=true" |
Changes in 2.7.1 | Added support for CSVv1, CSVv2 and SSVL exports. Also added 7 new parameters to allow users to filter report data in the same way they would in the ThreadFix UI for CSV and SSVL exports. |
Changes in 2.8 | Updated CSV export parameter arguments. CSVv1 support has been deprecated. Also added 3 new parameters to allow for filtering on static, dynamic and dependency findings. |
Changes in 2.8.2 | Added remoteProviderEntityID and remoteProviderEntityName fields in response. These fields are present when using any previous REST version as well. |
Changes in 2.8.3 | Added urlReference field in response. This field was already displayed on UI vulnerability details page |
Changes in 2.8.4 | Added remoteProviderAppNativeName. This field corresponds with the "Origin Remote Provider Application" in the Finding Details page. |
Request Header Parameters
Parameter | Value | Required | Description |
|---|---|---|---|
Accept | String | Yes | A value of ‘application/json’ must be provided. |
Request POST Data Parameters
Parameter | Value Type | Req. | Description |
|---|---|---|---|
genericVulnerabilities | List | no | Serialized list of generic vulnerability (CWE) IDs. Example: genericVulnerabilities[0].id=201 |
teams | List | no | Serialized list of team IDs. Example: teams[0].id=1 |
applications | List | no | Serialized list of application IDs. Example: applications[0].id=2 |
channelTypes | List | no | Serialized list of scanner IDs. Example: channelTypes[0].id=<channelTypeId> (e.g., channelTypes[0].id=49) Note: To find a scanner’s channelTypeId, run the following query:
|
genericSeverities | List | no | Serialized list of generic severity values. Severity Values:
Example: genericSeverities[0].intValue=4&genericSeverities[1].intValue=5 Retrieves Critical and High vulnerabilities. The 0 and 1 indicate position within array since more than one vuln severity type is being requested. If only requesting one severity, it would be 0. |
numberVulnerabilities | Integer | no | Number of vulnerabilities to return. By default this method will only return up to 10 vulnerabilities. |
page | Integer | no | Can be used to return a different page of vulnerabilities, with each page of vulnerabilities containing {numberVulnerabilities} vulnerabilities. |
parameter | String | no | Filter to only return vulnerabilities containing this string in their parameter. |
path | String | no | Filter to only return vulnerabilities containing this String in their path. |
startDate | Date | no | Lower bound on scan dates. Format: yyyy-MM-dd or Epoch time (in milliseconds). |
endDate | Date | no | Upper bound on scan dates. Format: yyyy-MM-dd or Epoch time (in milliseconds). |
showOpen | Boolean | no | Flag to show only open vulnerabilities. |
showClosed | Boolean | no | Flag to show only closed vulnerabilities. |
showFalsePositive | Boolean | no | Flag to show only false positive vulnerabilities. |
showNotFalsePositive | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are not false positive. |
showHidden | Boolean | no | Flag to show hidden vulnerabilities. |
showNotHidden | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are not hidden. |
showExploitable | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are exploitable. |
showNotExploitable | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are not exploitable. |
showContested | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are contested. |
showNotContested | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are not contested. |
showVerified | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are verified. |
showNotVerified | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are not verified. |
numberMerged | Integer | no | Number of vulnerabilities merged from different scans. |
showDefectPresent | Boolean | no | Flag to show vulnerabilities with defects. |
showDefectNotPresent | Boolean | no | Flag to show vulnerabilities without defects. |
showDefectOpen | Boolean | no | Flag to show vulnerabilities with open defects. |
showDefectClosed | Boolean | no | Flag to show vulnerabilities with closed defects. |
showInconsistentClosedDefectNeedsScan | Boolean | no | Flag to show vulnerabilities that have closed defects but have not yet been closed by a scan. |
showInconsistentClosedDefectOpenInScan | Boolean | no | Flag to show vulnerabilities that have closed defects but were found open in a scan since the defect was closed. |
showInconsistentOpenDefect | Boolean | no | Flag to show vulnerabilities that have open defects but have been closed by scans. |
includeCustomText | Boolean | no | Set to true to include Custom CWE Text in the response for each vulnerability. |
showCommentPresent | Boolean | no | Flag to show vulnerabilities with comments. |
commentTags | List | no | Serialized list of comment tags. Example: commentTags[0].id=1 |
daysOldModifier | String | no | Should only be value of "less" or "more". Used in conjunction with daysOld parameter. |
daysOld | Integer | no | Number of days in age of the vulnerability. Valid values are "10", "30", etc. |
daysOldCommentsModifier | String | no | Should only be value of "less" or "more". Used in conjunction with daysOldComments parameter. |
daysOldComments | Integer | no | Number of days in age of the comment. Valid values are "10", "30", etc. |
hoursOldCommentsModifier | String | no | Should only be value of "less" or "more". Used in conjunction with hoursOldComments parameter. |
hoursOldComments | Integer | no | Number of hours since comment was added to vulnerability. Valid values are "1", "10", etc. |
commentedByUser | Integer | no | Filter vulnerabilities by ID of user that added comments to it. |
vulnerabilities | List | no | Serialized list of vulnerability IDs. Example: vulnerabilities[0].id=1 |
cvesList | List | no | Serialized list of CVE IDs. Example: cvesList[0].CVE=CVE-2016-6316 |
exportType | String | no | Type of export being performed. Valid values are "csv" and "ssvl". Not case sensitive. |
tags | List | no | Filters to show vulnerabilities from Applications that are tagged with these application tags. To pass in multiple tags, pass in multiple times and increment in the index in the array, like how the teams and applications parameters work. Example: tags[1].id=1,tags[0].id=3 |
vulnTags | List | no | Filters to show vulnerabilities tagged with these vulnerability tags. Pass in multiple tags in the same way. Example: vulnTags[0].id=5 |
defectId | String | no | Filters to show vulnerabilities with this defect attached. Example: defectId=THREAD-17420 |
nativeId | String | no | Filters to show vulnerabilities with findings that have this native ID. Example: nativeId=a0f486f7f658d7c6ecf364c7354a06be |
assignToUser | String | no | Filters to show vulnerabilities that have a finding with this value in their assignToUser column (from Checkmarx, for example). Does not need to be an exact string, it will return all findings that contain this string in their assignToUser column. Example: assignToUser=admin |
showSharedVulnFound | Boolean | no | Filters to show only vulnerabilities that have been identified as Shared Vulnerabilities. Example: showSharedVulnFound=true |
showSharedVulnNotFound | Boolean | no | Filters to show only vulnerabilities that have not been identified as Shared Vulnerabilities. Example: showSharedVulnNotFound=true |
showDynamic | Boolean | no | Filters to show only vulnerabilities with dynamic findings. Example: showdynamic=true |
showStatic | Boolean | no | Filters to show only vulnerabilities with static findings. Example: showStatic=true |
showDependency | Boolean | no | Filters to show only vulnerabilities with dependency findings. Example: showDependency=true |
showMobile | Boolean | no | Filters to show only vulnerabilities with mobile findings. Example: showMobile=true |
remoteProviderAppNativeName | String | no | Displays the Remote Provider Application name within the Finding Details page.* *Introduced in ThreadFix version 2.8.4 |
Sample Calls:
Requesting all vulnerabilities that are Open but not False Positive or Hidden (the default filter settings in the UI), with up to 200 returned:
| Code Block |
|---|
curl --insecure -H 'Accept: application/json' -H 'Authorization: APIKEY {apiKey}' -X POST --data 'showOpen=true&showNotFalsePositive=true&showNotHidden=false&numberVulnerabilities=200' http://localhost:8080/threadfix/rest/latest/vulnerabilities |
Requesting all critical, high, and medium vulnerabilities with up to 200 returned:
| Code Block |
|---|
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'genericSeverities[0].intValue=3&genericSeverities[1].intValue=4&genericSeverities[2].intValue=5&numberVulnerabilities=200' http://localhost:8080/threadfix/rest/latest/vulnerabilities |
Requesting up to 100 vulnerabilities for Application ID 2, with Custom CWE Text returned as well:
| Code Block |
|---|
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'applications[0].id=2&includeCustomText=true&numberVulnerabilities=100' http://localhost:8080/threadfix/rest/latest/vulnerabilities |
Requesting up to 500 vulnerabilities for all the applications inside Team ID 2, with Custom CWE Text returned as well:
| Code Block |
|---|
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'teams[0].id=2&includeCustomText=true&numberVulnerabilities=500' http://localhost:8080/threadfix/rest/latest/vulnerabilities |
Requesting vulnerabilities which have had comments added less than 10 days ago:
| Code Block |
|---|
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {API Key}" -X POST --data 'daysOldCommentsModifier=less&daysOldComments=10' http://localhost:8080/threadfix/rest/latest/vulnerabilities |
-Requesting vulnerabilities which have comments added more than 5 hours ago:
| Code Block |
|---|
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {API Key}" -X POST --data 'hoursOldCommentsModifier=more&hoursOldComments=5' http://localhost:8080/threadfix/rest/latest/vulnerabilities |
-Requesting vulnerabilities by ID:
| Code Block |
|---|
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {API Key}" -X POST --data 'vulnerabilities[0].id=1' http://localhost:8080/threadfix/rest/latest/vulnerabilities |
-Requesting vulnerabilities by user who added comments to it:
| Code Block |
|---|
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {API Key}" -X POST --data 'commentedByUser=12' http://localhost:8080/threadfix/rest/latest/vulnerabilities |
-Requesting vulnerabilities by CVE, with up to 200 vulnerabilities returned:
| Code Block |
|---|
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'cvesList[0].CVE=CVE-2013-6416&cvesList[1].CVE=CVE-2016-6316&numberVulnerabilities=200' http://localhost:8080/threadfix/rest/latest/vulnerabilities |
Sample Output:
Values for originalOpenTime and openTime are returned as Epoch time in milliseconds.
| Code Block |
|---|
{
"message": "",
"success": true,
"responseCode": -1,
"object": [
{
"id": 114,
"defect": null,
"genericVulnerability": {
"id": 79,
"name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"displayId": 79
},
"genericSeverity": {
"id": 4,
"name": "Critical",
"displayName": "Critical",
"intValue": 5
},
"calculatedFilePath": "",
"active": true,
"isFalsePositive": false,
"hidden": false,
"originalOpenTime": 1307976287000,
"openTime": 1307976287000,
"closeTime": null,
"findings": [
{
"id": 114,
"active": true,
"longDescription": null,
"attackString": "parameter: cookie command=1234 -> command=1234*/--></script><script>alert(26682)</script>",
"attackRequest": "POST /demo/EvalInjection2.php H… //TRIMMED FOR BREVITY,
"attackResponse": null,
"nativeId": "eb6aa5598d20a3468754f36b9d2755d6",
"displayId": null,
"surfaceLocation": {
"id": 114,
"parameter": "command",
"path": "/demo/EvalInjection2.php"
},
"sourceFileLocation": null,
"dataFlowElements": [],
"calculatedUrlPath": "/demo/EvalInjection2.php",
"calculatedFilePath": "",
"dependency": null,
"findingDescription": {
"id": 1,
"description": "The test successfully... //TRIMMED FOR BREVITY,
},
"findingRecommendation": {
"id": 1,
"recommendation": "<fixRecommendations>\n... //TRIMMED FOR BREVITY,
},
"vulnerabilityType": "Cross-Site Scripting",
"severity": "High",
"scannerName": "Security AppScan Standard"
}
],
"documents": [],
"grcControl": null,
"tags": [],
"path": null,
"parameter": "new parameters",
"vulnerabilityComments": [],
"staticFindings": [],
"vulnId": "548",
"genericSeverity": {
"id": 5,
"name": "Critical",
"intValue": 5,
"displayName": "Critical"
},
"policyStatuses": null,
"description": null,
"releaseFrequency": "UNKNOWN",
"testEnvironment": null,
"grcApplication": null,
"isInternal": false
},
"parameter": "command",
"dynamicFindings": [
{
"id": 114,
"active": true,
"longDescription": null,
"attackString": "parameter: cookie command=1234 -> command=1234*/--></script><script>alert(26682)</script>",
"attackRequest": "POST /demo/EvalInjection2… //TRIMMED FOR BREVITY,
"attackResponse": null,
"nativeId": "eb6aa5598d20a3468754f36b9d2755d6",
"displayId": null,
"surfaceLocation": {
"id": 114,
"parameter": "command",
"path": "/demo/EvalInjection2.php"
},
"sourceFileLocation": null,
"dataFlowElements": [],
"calculatedUrlPath": "/demo/EvalInjection2.php",
"calculatedFilePath": "",
"dependency": null,
"findingDescription": {
"id": 1,
"description": "The test successfully... //TRIMMED FOR BREVITY,
},
"findingRecommendation": {
"id": 1,
"recommendation": "
"vulnerabilityType": "Cross-Site Scripting",
"severity": "High",
"scannerName": "Security AppScan Standard"
}
],
"dependency": null,
"channelNames": [
"Security AppScan Standard"
],
"app": {
"id": 1,
"name": "App",
"url": null,
"applicationCriticality": {
"id": 2,
"name": "Medium"
},
"grcApplication": null
},
"team": {
"id": 1,
"name": "Team"
},
"documents": [],
"grcControl": null,
"tags": [],
"path": "/",
"parameter": null,
"vulnerabilityComments": [],
"staticFindings": [],
"dependency": null,
"vulnId": "293",
"genericSeverity": {
"id": 2,
"name": "Low",
"intValue": 2,
"displayName": "Low"
}
]
} |
genericVulnerability field with includeCustomText set to true:
| Code Block |
|---|
{
"message": "",
"success": true,
"responseCode": -1,
"object": [
{
"id": 114,
"defect": null,
"genericVulnerability": {
"id": 79,
"name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"customText": "Custom CWE Text here.",
"displayId": 79
},
…
}
]
}
|
dependency fields for DependencyCheck vulnerability:
| Code Block |
|---|
{
"message": "",
"success": true,
"responseCode": -1,
"object": [
{
…
"findings": [
{
…
"dependency": {
"id": 1,
"active": true,
"componentName": "spring-core-3.0.0.RELEASE.jar",
"componentFilePath": ".\\src\\test\\resources\\spring-core-3.0.0.RELEASE.jar",
"refLink": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2894",
"description": "Spring Framework 3.0.0 through 3.0.5, Spring … //TRIMMED FOR BREVITY,
"source": null,
"refId": "CVE-2011-2894"
},
…
}
],
…
"dependency": {
"id": 1,
"active": true,
"componentName": "spring-core-3.0.0.RELEASE.jar",
"componentFilePath": ".\\src\\test\\resources\\spring-core-3.0.0.RELEASE.jar",
"refLink": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2894",
"description": "Spring Framework 3.0.0 through 3.0… //TRIMMED FOR BREVITY,
"source": null,
"refId": "CVE-2011-2894"
},
…
}
]
} |
Return response for remoteProviderAppNativeName:
| Code Block |
|---|
{
"message": "",
"success": true,
"responseCode": -1,
"object": [
{
"id": 14,
"defect": null,
"genericVulnerability": {
"id": 80,
"name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"displayId": 79
},
"calculatedFilePath": "/advanced.jsp",
"active": true,
"isFalsePositive": true,
"isContested": false,
"isVerified": false,
"isExploitable": false,
"hidden": false,
"originalOpenTime": 1616117619000,
"openTime": 1616117619000,
"closeTime": null,
"findings": [
{
"id": 14,
"active": true,
"vulnerability": {
"id": 14
},
"longDescription": null,
"attackString": null,
"attackRequest": null,
"attackResponse": null,
"urlReference": "https://cxprivatecloud.checkmarx.net/CxWebClient/ViewerMain.aspx?scanid=1003279&projectid=132&pathid=1",
"nativeId": "a311bbc6b7ad1432e8915230129dac3b",
"displayId": null,
"surfaceLocation": {
"id": 14,
"parameter": null,
"path": "root/advanced.jsp"
},
"sourceFileLocation": "root/advanced.jsp",
"dataFlowElements": [
{
"id": 94,
"sourceFileName": "root/advanced.jsp",
"lineNumber": 48,
"columnNumber": 45,
"lineText": " <a href=\"javascript:window.location=window.location.href\">New Search</a>"
},
{
"id": 95,
"sourceFileName": "root/advanced.jsp",
"lineNumber": 48,
"columnNumber": 20,
"lineText": " <a href=\"javascript:window.location=window.location.href\">New Search</a>"
}
],
"findingCves": [],
"calculatedUrlPath": "",
"calculatedFilePath": "/advanced.jsp",
"dependency": null,
"findingDescription": null,
"findingRecommendation": null,
"scanName": null,
"scannerName": "Checkmarx",
"vulnerabilityType": "Client_DOM_XSS",
"severity": "High",
"remoteProviderEntityName": "CX",
"remoteProviderEntityId": 1,
"scannerRecommendation": null,
"remoteProviderAppNativeName": "Bodgeit (/CxServer/SP/Partners/Denim Group)"
}
],
"documents": [],
"grcControl": null,
"tags": [],
"genericSeverity": {
"id": 1,
"name": "High",
"intValue": 4,
"displayName": "High"
},
"app": {
"id": 1,
"name": "1",
"url": null,
"applicationCriticality": {
"id": 2,
"name": "Medium"
},
"policyStatuses": null,
"description": null,
"releaseFrequency": "UNKNOWN",
"testEnvironment": null,
"grcApplication": null,
"isInternal": false
},
"team": {
"id": 1,
"name": "1"
},
"vulnId": "14",
"parameter": null,
"staticFindings": [
{
"id": 14,
"active": true,
"vulnerability": {
"id": 14
},
"longDescription": null,
"attackString": null,
"attackRequest": null,
"attackResponse": null,
"urlReference": "https://cxprivatecloud.checkmarx.net/CxWebClient/ViewerMain.aspx?scanid=1003279&projectid=132&pathid=1",
"nativeId": "a311bbc6b7ad1432e8915230129dac3b",
"displayId": null,
"surfaceLocation": {
"id": 14,
"parameter": null,
"path": "root/advanced.jsp"
},
"sourceFileLocation": "root/advanced.jsp",
"dataFlowElements": [
{
"id": 94,
"sourceFileName": "root/advanced.jsp",
"lineNumber": 48,
"columnNumber": 45,
"lineText": " <a href=\"javascript:window.location=window.location.href\">New Search</a>"
},
{
"id": 95,
"sourceFileName": "root/advanced.jsp",
"lineNumber": 48,
"columnNumber": 20,
"lineText": " <a href=\"javascript:window.location=window.location.href\">New Search</a>"
}
],
"findingCves": [],
"calculatedUrlPath": "",
"calculatedFilePath": "/advanced.jsp",
"dependency": null,
"findingDescription": null,
"findingRecommendation": null,
"scanName": null,
"scannerName": "Checkmarx",
"vulnerabilityType": "Client_DOM_XSS",
"severity": "High",
"remoteProviderEntityName": "CX",
"remoteProviderEntityId": 1,
"scannerRecommendation": null,
"remoteProviderAppNativeName": "Bodgeit (/CxServer/SP/Partners/Denim Group)"
}
],
"vulnerabilityComments": [],
"dependency": null,
"channelNames": [
"Checkmarx"
],
"dynamicFindings": [],
"path": "root/advanced.jsp"
}
]
} |
| Page Tree | ||
|---|---|---|
|