As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Add Manual Finding - API
Deprecated as of version 2.8. For all manual vulnerability submissions in ThreadFix 2.8 or later please refer to the Pen Test feature.
/rest/{version}/applications/{appId}/addFinding
Descriptor | Value |
|---|---|
HTTP Method | POST |
Description | Creates a manual finding with the given properties. |
Required Permission | Modify Vulnerabilities |
| Version Introduced | 2.3.0 |
Request Header Parameters
Parameter | Value | Required | Description |
|---|---|---|---|
Accept | String | Yes | A value of ‘application/json’ must be provided. |
Request POST Data Parameters
Parameter | Value | Required | Description |
|---|---|---|---|
isStatic | Boolean | No | Whether the finding is static or dynamic. Defaults to false (Dynamic). |
vulnType | String | Yes | Name of the CWE vulnerability. Enter None if the finding is not associated with a CWE. |
longDescription | String | Yes | General description of the issue. |
severity | Integer | Yes | Severity level from 1-5. |
nativeId | String | No | Identifier for the vulnerability. |
parameter | String | No* | Request parameter for vulnerability. |
filePath | String | No* | (Static only) Location of source file. |
column | Integer | No | (Static only) Column number for finding vulnerability source. |
lineText | String | No | (Static only) Line text for finding vulnerability source. |
lineNumber | Integer | No | (Static only) Line number for finding vulnerability source. |
fullUrl | String | No | (Dynamic only) Absolute URL to the page with the vulnerability. |
path | String | No | (Dynamic only) Relative path to the page with the vulnerability. |
*Static manual findings require either parameter or filePath to be present
Sample Call:
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'isStatic=true&vulnType=Location&longDescription=This should be addressed.&severity=3&nativeId=24¶meter=store&filePath=C:\sampleCode\home&column=2&lineText=findStore()&lineNumber=234' http://localhost:8080/threadfix/rest/latest/applications/1/addFinding
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'isStatic=false&vulnType=Location&longDescription=This should be addressed.&severity=3&nativeId=24¶meter=store&fullUrl=www.samplewebsite.com/store/3&path=/store/3' http://localhost:8080/threadfix/rest/latest/applications/1/addFinding
Sample Output:
{
"message": "",
"success": true,
"responseCode": -1,
"object": {
"id": 39,
"longDescription": "This should be addressed.",
"attackString": null,
"attackRequest": null,
"attackResponse": null,
"nativeId": "24",
"displayId": null,
"surfaceLocation": {
"id": 39,
"parameter": "store",
"path": null
},
"sourceFileLocation": null,
"dataFlowElements": [
{
"id": 1,
"sourceFileName": "C:\\sampleCode\\home",
"lineNumber": 234,
"columnNumber": 2,
"lineText": "findStore()"
}
],
"calculatedUrlPath": "",
"calculatedFilePath": "C:\\sampleCode\\home",
"dependency": null,
"severity": "Medium",
"vulnerabilityType": "Location"
}
}
{
"message": "",
"success": true,
"responseCode": -1,
"object": {
"id": 40,
"longDescription": "This should be addressed.",
"attackString": null,
"attackRequest": null,
"attackResponse": null,
"nativeId": "24",
"displayId": null,
"surfaceLocation": {
"id": 40,
"parameter": "store",
"path": "/store/3"
},
"sourceFileLocation": null,
"dataFlowElements": null,
"calculatedUrlPath": "/store/3",
"calculatedFilePath": "",
"dependency": null,
"severity": "Medium",
"vulnerabilityType": "Location"
}
}
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.