Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

/rest/{version}/applications/{appId}/upload

Descriptor

Value

HTTP Method

POST

Description

Uploads and processes the scan.

Required Permission

Upload Scans

Version Introduced

2.3.0

Changes in 2.4.5

Starting with Version 2.4.5, this call adds the scan to the Scan Upload Queue, and returns an entirely different response. 

The scan has not finished importing into an application at the time the call returns; if automation is using this call, make sure to use the legacy version or adjust the automation accordingly.

Changes in 2.5

The new Links section includes a link to the endpoint

you

users can hit to check the status of the scan after it’s been added to the queue.

Request Header Parameters

Parameter

Value

Required

Description

Accept

String

Yes

A value of ‘application/json’ must be provided.

Request POST Data Parameters

Parameter

Value

Required

Description

file

File

yes

The scan to upload to the application in ThreadFix.

Sample Call:

Code Block
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --form file=@path/to/file/www_example_url_com_webinspect_scan.xml http://localhost:8080/threadfix/rest/v2.5/applications/2/upload

Sample Output (v2.4.5 through latest):

Code Block
{
    "message": "",
    "success": true,
    "responseCode": -1,
    "object": "Scan upload process started.",
    "links": [
        {
            "method": "GET",
            "rel": "related",
            "href": "http://localhost:8080/threadfix/rest/applications/2/pendingScan/39/status"
        }
    ]
}

Sample Output (legacy through v2.4.2.1):

Info

Values for importTime are returned as Epoch time in milliseconds.

Code Block
{
    "message": "",
    "success": true,
    "responseCode": -1,
    "object": {
        "id": 2,
        "importTime": 1320440009000,
        "numberClosedVulnerabilities": 0,
        "numberNewVulnerabilities": 29,
        "numberOldVulnerabilities": 0,
        "numberResurfacedVulnerabilities": 0,
        "numberTotalVulnerabilities": 29,
        "numberRepeatResults": 0,
        "numberRepeatFindings": 0,
        "numberInfoVulnerabilities": 1,
        "numberLowVulnerabilities": 14,
        "numberMediumVulnerabilities": 6,
        "numberHighVulnerabilities": 2,
        "numberCriticalVulnerabilities": 6,
        "findings": [
            {
                "id": 3,
                "longDescription": null,
                "attackString": "",
                "attackRequest": "GET /demo/XSS-reflected2.php HTTP...", //SHORTENED FOR BREVITY
                "attackResponse": "HTTP/1.1 200 OK\nDate: Fri, 04 Nov 201...", //SHORTENED FOR BREVITY
                "nativeId": "c9522bf8c67a646f5979cc2212710195",
                "displayId": null,
                "surfaceLocation": {
                    "id": 3,
                    "parameter": null,
                    "path": "/demo/XSS-reflected2.php"
                },
                "sourceFileLocation": null,
                "dataFlowElements": null,
                "calculatedUrlPath": "/demo/XSS-reflected2.php",
                "calculatedFilePath": "",
                "dependency": null,
                "severity": "1",
                "vulnerabilityType": "Possible Server Path Disclosure (win32)"
            },
            {
                "id": 4,
                "longDescription": null,
                "attackString": "",
                "attackRequest": "GET /demo/LDAPInjection2.php HTTP/1.1\nRe...", //SHORTENED FOR BREVITY
                "attackResponse": "HTTP/1.1 200 OK\nDate: Fri, 04 Nov 2011 20:...", //SHORTENED FOR BREVITY
                "nativeId": "6d5dc848529d28f8ab89cc20e6ca413d",
                "displayId": null,
                "surfaceLocation": {
                    "id": 4,
                    "parameter": null,
                    "path": "/demo/LDAPInjection2.php"
                },
                "sourceFileLocation": null,
                "dataFlowElements": null,
                "calculatedUrlPath": "/demo/LDAPInjection2.php",
                "calculatedFilePath": "",
                "dependency": null,
                "severity": "1",
                "vulnerabilityType": "Possible Server Path Disclosure (win32)"
            },
            //THE REST OMITTED FOR BREVITY
        ],
        "scannerName": "WebInspect"
    }
}

Page Tree
rootScans 3.0 API