Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

/rest/applications/{appId}/addFinding


Descriptor

Value

HTTP Method

POST

Description

Creates a manual finding with the given properties.

Required Permission

Modify Vulnerabilities

Version Introduced2.3.0


Request Header Parameters

Parameter

Value

Required

Description

Accept

String

Yes

A value of ‘application/json’ must be provided.


Request POST Data Parameters

Parameter

Value

Required

Description

isStatic

Boolean

No

Whether the finding is static or dynamic.  Defaults to false (Dynamic).

vulnType

String

Yes

Name of the CWE vulnerability.

Enter None if the finding is not associated with a CWE.

longDescription

String

Yes

General description of the issue.

severity

Integer

Yes

Severity level from 1-5.

nativeId

String

No

Identifier for the vulnerability.

parameter

String

No*

Request parameter for vulnerability.

filePath

String

No*

(Static only) Location of source file.

column

Integer

No

(Static only) Column number for finding vulnerability source.

lineText

String

No

(Static only) Line text for finding vulnerability source.

lineNumber

Integer

No

(Static only) Line number for finding vulnerability source.

fullUrl

String

No

(Dynamic only) Absolute URL to the page with the vulnerability.

path

String

No

(Dynamic only) Relative path to the page with the vulnerability.

*Static manual findings require either parameter or filePath to be present


Sample Call:


Code Block
languagebash
themeEclipse
titleStatic Finding
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'isStatic=true&vulnType=Location&longDescription=This should be addressed.&severity=3&nativeId=24&parameter=store&filePath=C:\sampleCode\home&column=2&lineText=findStore()&lineNumber=234' http://localhost:8080/threadfix/rest/applications/1/addFinding?apiKey={apiKey}


Code Block
languagebash
themeEclipse
titleDynamic Finding
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'isStatic=false&vulnType=Location&longDescription=This should be addressed.&severity=3&nativeId=24&parameter=store&fullUrl=www.samplewebsite.com/store/3&path=/store/3' http://localhost:8080/threadfix/rest/applications/1/addFinding?apiKey={apiKey}


Sample Output:


Code Block
themeEclipse
titleStatic Finding
{
    "message": "",
    "success": true,
    "responseCode": -1,
    "object": {
        "id": 39,
        "longDescription": "This should be addressed.",
        "attackString": null,
        "attackRequest": null,
        "attackResponse": null,
        "nativeId": "24",
        "displayId": null,
        "surfaceLocation": {
            "id": 39,
            "parameter": "store",
            "path": null
        },
        "sourceFileLocation": null,
        "dataFlowElements": [
            {
                "id": 1,
                "sourceFileName": "C:\\sampleCode\\home",
                "lineNumber": 234,
                "columnNumber": 2,
                "lineText": "findStore()"
            }
        ],
        "calculatedUrlPath": "",
        "calculatedFilePath": "C:\\sampleCode\\home",
        "dependency": null,
        "severity": "Medium",
        "vulnerabilityType": "Location"
    }
}



Code Block
themeEclipse
titleDynamic Finding
{
    "message": "",
    "success": true,
    "responseCode": -1,
    "object": {
        "id": 40,
        "longDescription": "This should be addressed.",
        "attackString": null,
        "attackRequest": null,
        "attackResponse": null,
        "nativeId": "24",
        "displayId": null,
        "surfaceLocation": {
            "id": 40,
            "parameter": "store",
            "path": "/store/3"
        },
        "sourceFileLocation": null,
        "dataFlowElements": null,
        "calculatedUrlPath": "/store/3",
        "calculatedFilePath": "",
        "dependency": null,
        "severity": "Medium",
        "vulnerabilityType": "Location"
    }
}


Page Tree
rootApplications API