As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.
Upload Scan 3.0 - API
- Daniel Colon
/rest/{version}/applications/{appId}/upload
Descriptor | Value |
|---|---|
HTTP Method | POST |
Description | Uploads and processes the scan. |
Required Permission | Upload Scans |
Version Introduced | 2.3.0 |
Changes in 2.4.5 | Starting with Version 2.4.5, this call adds the scan to the Scan Upload Queue, and returns an entirely different response. The scan has not finished importing into an application at the time the call returns; if automation is using this call, make sure to use the legacy version or adjust the automation accordingly. |
Changes in 2.5 | The new Links section includes a link to the endpoint users can hit to check the status of the scan after it’s been added to the queue. |
Request Header Parameters
Parameter | Value | Required | Description |
|---|---|---|---|
Accept | String | Yes | A value of ‘application/json’ must be provided. |
Request POST Data Parameters
Parameter | Value | Required | Description |
|---|---|---|---|
file | File | yes | The scan to upload to the application in ThreadFix. |
Sample Call:
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --form file=@path/to/file/www_example_url_com_webinspect_scan.xml http://localhost:8080/threadfix/rest/v2.5/applications/2/uploadSample Output (v2.4.5 through latest):
{
   "message": "",
   "success": true,
   "responseCode": -1,
   "object": "Scan upload process started.",
   "links": [
       {
           "method": "GET",
           "rel": "related",
           "href": "http://localhost:8080/threadfix/rest/applications/2/pendingScan/39/status"
       }
   ]
}Sample Output (legacy through v2.4.2.1):
Values for importTime are returned as Epoch time in milliseconds.
{
   "message": "",
   "success": true,
   "responseCode": -1,
   "object": {
       "id": 2,
       "importTime": 1320440009000,
       "numberClosedVulnerabilities": 0,
       "numberNewVulnerabilities": 29,
       "numberOldVulnerabilities": 0,
       "numberResurfacedVulnerabilities": 0,
       "numberTotalVulnerabilities": 29,
       "numberRepeatResults": 0,
       "numberRepeatFindings": 0,
       "numberInfoVulnerabilities": 1,
       "numberLowVulnerabilities": 14,
       "numberMediumVulnerabilities": 6,
       "numberHighVulnerabilities": 2,
       "numberCriticalVulnerabilities": 6,
       "findings": [
           {
               "id": 3,
               "longDescription": null,
               "attackString": "",
               "attackRequest": "GET /demo/XSS-reflected2.php HTTP...", //SHORTENED FOR BREVITY
               "attackResponse": "HTTP/1.1 200 OK\nDate: Fri, 04 Nov 201...", //SHORTENED FOR BREVITY
               "nativeId": "c9522bf8c67a646f5979cc2212710195",
               "displayId": null,
               "surfaceLocation": {
                   "id": 3,
                   "parameter": null,
                   "path": "/demo/XSS-reflected2.php"
               },
               "sourceFileLocation": null,
               "dataFlowElements": null,
               "calculatedUrlPath": "/demo/XSS-reflected2.php",
               "calculatedFilePath": "",
               "dependency": null,
               "severity": "1",
               "vulnerabilityType": "Possible Server Path Disclosure (win32)"
           },
           {
               "id": 4,
               "longDescription": null,
               "attackString": "",
               "attackRequest": "GET /demo/LDAPInjection2.php HTTP/1.1\nRe...", //SHORTENED FOR BREVITY
               "attackResponse": "HTTP/1.1 200 OK\nDate: Fri, 04 Nov 2011 20:...", //SHORTENED FOR BREVITY
               "nativeId": "6d5dc848529d28f8ab89cc20e6ca413d",
               "displayId": null,
               "surfaceLocation": {
                   "id": 4,
                   "parameter": null,
                   "path": "/demo/LDAPInjection2.php"
               },
               "sourceFileLocation": null,
               "dataFlowElements": null,
               "calculatedUrlPath": "/demo/LDAPInjection2.php",
               "calculatedFilePath": "",
               "dependency": null,
               "severity": "1",
               "vulnerabilityType": "Possible Server Path Disclosure (win32)"
           },
           //THE REST OMITTED FOR BREVITY
       ],
       "scannerName": "WebInspect"
   }
} www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.