Add Manual Finding - API

/rest/applications/{appId}/addFinding

Descriptor	Value
HTTP Method	POST
Description	Creates a manual finding with the given properties.
Required Permission	Modify Vulnerabilities
Version Introduced	2.3.0

Request Header Parameters

Parameter	Value	Required	Description
Accept	String	Yes	A value of ‘application/json’ must be provided.

Request POST Data Parameters

Parameter	Value	Required	Description
isStatic	Boolean	No	Whether the finding is static or dynamic. Defaults to false (Dynamic).
vulnType	String	Yes	Name of the CWE vulnerability. Enter None if the finding is not associated with a CWE.
longDescription	String	Yes	General description of the issue.
severity	Integer	Yes	Severity level from 1-5.
nativeId	String	No	Identifier for the vulnerability.
parameter	String	No*	Request parameter for vulnerability.
filePath	String	No*	(Static only) Location of source file.
column	Integer	No	(Static only) Column number for finding vulnerability source.
lineText	String	No	(Static only) Line text for finding vulnerability source.
lineNumber	Integer	No	(Static only) Line number for finding vulnerability source.
fullUrl	String	No	(Dynamic only) Absolute URL to the page with the vulnerability.
path	String	No	(Dynamic only) Relative path to the page with the vulnerability.

*Static manual findings require either parameter or filePath to be present

Sample Call:

Static Finding

curl --insecure -H 'Accept: application/json' -X POST --data 'isStatic=true&vulnType=Location&longDescription=This should be addressed.&severity=3&nativeId=24&parameter=store&filePath=C:\sampleCode\home&column=2&lineText=findStore()&lineNumber=234' http://localhost:8080/threadfix/rest/applications/1/addFinding?apiKey={apiKey}

Dynamic Finding

curl --insecure -H 'Accept: application/json' -X POST --data 'isStatic=false&vulnType=Location&longDescription=This should be addressed.&severity=3&nativeId=24&parameter=store&fullUrl=www.samplewebsite.com/store/3&path=/store/3' http://localhost:8080/threadfix/rest/applications/1/addFinding?apiKey={apiKey}

Sample Output:

Static Finding

{
    "message": "",
    "success": true,
    "responseCode": -1,
    "object": {
        "id": 39,
        "longDescription": "This should be addressed.",
        "attackString": null,
        "attackRequest": null,
        "attackResponse": null,
        "nativeId": "24",
        "displayId": null,
        "surfaceLocation": {
            "id": 39,
            "parameter": "store",
            "path": null
        },
        "sourceFileLocation": null,
        "dataFlowElements": [
            {
                "id": 1,
                "sourceFileName": "C:\\sampleCode\\home",
                "lineNumber": 234,
                "columnNumber": 2,
                "lineText": "findStore()"
            }
        ],
        "calculatedUrlPath": "",
        "calculatedFilePath": "C:\\sampleCode\\home",
        "dependency": null,
        "severity": "Medium",
        "vulnerabilityType": "Location"
    }
}

Dynamic Finding

{
    "message": "",
    "success": true,
    "responseCode": -1,
    "object": {
        "id": 40,
        "longDescription": "This should be addressed.",
        "attackString": null,
        "attackRequest": null,
        "attackResponse": null,
        "nativeId": "24",
        "displayId": null,
        "surfaceLocation": {
            "id": 40,
            "parameter": "store",
            "path": "/store/3"
        },
        "sourceFileLocation": null,
        "dataFlowElements": null,
        "calculatedUrlPath": "/store/3",
        "calculatedFilePath": "",
        "dependency": null,
        "severity": "Medium",
        "vulnerabilityType": "Location"
    }
}