As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Vulnerability Search - API

/rest/{version}/vulnerabilities

Descriptor

Value

Descriptor

Value

HTTP Method

POST

Description

Returns a filtered list of vulnerabilities.

Required Permission

Read Access (Any Role)

Version Introduced

2.3.0

Changes in 2.4.0                

Adds new fields to dependency Check Vulnerabilities

Changes in 2.5.1

Adds "displayName" field to "genericSeverity" in response.  This field is present when using any previous REST version as well.

Adds "findingRecommendation" and "findingDescription" fields in response.  These are only present when using version 2.5.1 or later.

Changes in 2.5.2

Adds "vulnerabilityComments.comment" and "vulnerabilityComments.tags" fields in response. These fields are present when using any previous REST version as well.

Adds "vulnerabilityComments.user" field in response. This field is only present when using version 2.5.2 or later.

Adds ability to get vulnerability information by entering a serialized list of vulnerability IDs.

Changes in 2.7

Adds ability to get vulnerability information by entering a serialized list of CVE IDs.

Adds 8 new parameters to help query by vulnerability status: showNotFalsePositive, showNotHidden, showExploitable, showNotExploitable, showContested, showNotContested, showVerified, and showNotVerified.  These parameters only work if you use the 2.7 REST version or later. 

Starting with REST version 2.7 the status query logic is altered; we only filter vulnerabilities based on the parameters you provide.  If you want to see open vulnerabilities without False Positives and Hidden vulns returned, you will need to specify "showOpen=true", "showNotFalsePositive=true", and "showNotHidden=true"

Changes in 2.7.1

Added support for CSVv1, CSVv2 and SSVL exports.

Also added 7 new parameters to allow you to filter report data in the same way you would in the ThreadFix UI for CSV and SSVL exports.

Changes in 2.8

Updated CSV export parameter arguments. CSVv1 support has been deprecated.

Also added 3 new parameters to allow for filtering on static, dynamic and dependency findings.

Changes in 2.8.2

Added remoteProviderEntityID and remoteProviderEntityName fields in response. These fields are present when using any previous REST version as well.

Changes in 2.8.3

Added urlReference field in response. This field was already displayed on UI vulnerability details page

Changes in 2.8.4

Added remoteProviderAppNativeName. This field corresponds with the "Origin Remote Provider Application" in the Finding Details page.

Request Header Parameters

Parameter

Value

Required

Description

Parameter

Value

Required

Description

Accept

String

Yes

A value of ‘application/json’ must be provided.

Request POST Data Parameters

Parameter

Value Type

Req.

Description

Parameter

Value Type

Req.

Description

genericVulnerabilities

List

no

Serialized list of generic vulnerability (CWE) IDs. 

Example: genericVulnerabilities[0].id=201

teams

List

no

Serialized list of team IDs.

Example: teams[0].id=1

applications

List

no

Serialized list of application IDs. 

Example: applications[0].id=2

channelTypes

List

no

Serialized list of scanner IDs. 

Example: channelTypes[0].id=<channelTypeId> (e.g., channelTypes[0].id=49)

Note: To find a scanner’s channelTypeId, run the following query:

SELECT id, name FROM ChannelType WHERE name='<scanner name>'; (e.g., SELECT id, name FROM ChannelType WHERE name='Fortify SSC'; )

genericSeverities

List

no

Serialized list of generic severity values.  

Severity Values:

  • UNASSIGNED = 0

  • INFO = 1

  • LOW = 2

  • MEDIUM = 3

  • HIGH = 4

  • CRITICAL = 5

Example: genericSeverities[0].intValue=4&genericSeverities[1].intValue=5

Retrieves Critical and High vulnerabilities.  The 0 and 1 indicate position within array since we are requesting more than one vuln severity type.  If you're only requesting one severity, it would be 0.

numberVulnerabilities

Integer

no

Number of vulnerabilities to return.  By default this method will only return up to 10 vulnerabilities.

page

Integer

no

Can be used to return a different page of vulnerabilities, with each page of vulnerabilities containing {numberVulnerabilities} vulnerabilities.

parameter

String

no

Filter to only return vulnerabilities containing this string in their parameter.

path

String

no

Filter to only return vulnerabilities containing this String in their path.

startDate

Date

no

Lower bound on vulnerabilities' “Last open date.”

Format: yyyy-MM-dd or Epoch time (in milliseconds).

endDate

Date

no

Upper bound on vulnerabilities' “Last open date.”

Format: yyyy-MM-dd or Epoch time (in milliseconds).

showOpen

Boolean

no

Flag to show only open vulnerabilities.

showClosed

Boolean

no

Flag to show only closed vulnerabilities.

showFalsePositive

Boolean

no

Flag to show only false positive vulnerabilities.

showNotFalsePositive

Boolean

no

Only available using REST version 2.7 or later.

Flag to show only vulnerabilities that are not false positive.

showHidden

Boolean

no

Flag to show hidden vulnerabilities.

showNotHidden

Boolean

no

Only available using REST version 2.7 or later.

Flag to show only vulnerabilities that are not hidden.

showExploitable

Boolean

no

Only available using REST version 2.7 or later.

Flag to show only vulnerabilities that are exploitable.

showNotExploitable

Boolean

no

Only available using REST version 2.7 or later.

Flag to show only vulnerabilities that are not exploitable.

showContested

Boolean

no

Only available using REST version 2.7 or later.

Flag to show only vulnerabilities that are contested.

showNotContested

Boolean

no

Only available using REST version 2.7 or later.

Flag to show only vulnerabilities that are not contested.

showVerified

Boolean

no

Only available using REST version 2.7 or later.

Flag to show only vulnerabilities that are verified.

showNotVerified

Boolean

no

Only available using REST version 2.7 or later.

Flag to show only vulnerabilities that are not verified.

numberMerged

Integer

no

Number of vulnerabilities merged from different scans.

showDefectPresent

Boolean

no

Flag to show vulnerabilities with defects.

showDefectNotPresent

Boolean

no

Flag to show vulnerabilities without defects.

showDefectOpen

Boolean

no

Flag to show vulnerabilities with open defects.

showDefectClosed

Boolean

no

Flag to show vulnerabilities with closed defects.

showInconsistentClosedDefectNeedsScan

Boolean

no

Flag to show vulnerabilities that have closed defects but have not yet been closed by a scan.

showInconsistentClosedDefectOpenInScan

Boolean

no

Flag to show vulnerabilities that have closed defects but were found open in a scan since the defect was closed.

showInconsistentOpenDefect

Boolean

no

Flag to show vulnerabilities that have open defects but have been closed by scans.

includeCustomText

Boolean

no

Set to true to include Custom CWE Text in the response for each vulnerability.

showCommentPresent

Boolean

no

Flag to show vulnerabilities with comments.

commentTags

List

no

Serialized list of comment tags. Example: commentTags[0].id=1

daysOldModifier

String

no

Should only be value of "less" or "more". Used in conjunction with daysOld parameter.

daysOld

Integer

no

Number of days in age of the vulnerability. Valid values are "10", "30", etc. 

daysOldCommentsModifier

String

no

Should only be value of "less" or "more". Used in conjunction with daysOldComments parameter.

daysOldComments

Integer

no

Number of days in age of the comment. Valid values are "10", "30", etc.

hoursOldCommentsModifier

String

no

Should only be value of "less" or "more". Used in conjunction with hoursOldComments parameter.

hoursOldComments

Integer

no

Number of hours since comment was added to vulnerability. Valid values are "1", "10", etc.

commentedByUser

Integer

no

Filter vulnerabilities by ID of user that added comments to it.

vulnerabilities

List

no

Serialized list of vulnerability IDs. Example: vulnerabilities[0].id=1

cvesList

List

no

Serialized list of CVE IDs. Example: cvesList[0].CVE=CVE-2016-6316

exportType

String

no

Type of export being performed. Valid values are "csv" and "ssvl". Not case sensitive.

tags

List

no

Filters to show vulnerabilities from Applications that are tagged with these application tags. To pass in multiple tags, pass in multiple times and increment in the index in the array, like how the teams and applications parameters work. Example: tags[1].id=1,tags[0].id=3

vulnTags

List

no

Filters to show vulnerabilities tagged with these vulnerability tags. Pass in multiple tags in the same way. Example: vulnTags[0].id=5

defectId

String

no

Filters to show vulnerabilities with this defect attached. Example: defectId=THREAD-17420

nativeId

String

no

Filters to show vulnerabilities with findings that have this native ID. Example: nativeId=a0f486f7f658d7c6ecf364c7354a06be

assignToUser

String

no

Filters to show vulnerabilities that have a finding with this value in their assignToUser column (from Checkmarx, for example). Does not need to be an exact string, it will return all findings that contain this string in their assignToUser column. Example: assignToUser=admin

showSharedVulnFound

Boolean

no

Filters to show only vulnerabilities that have been identified as Shared Vulnerabilities. Example: showSharedVulnFound=true

showSharedVulnNotFound

Boolean

no

Filters to show only vulnerabilities that have not been identified as Shared Vulnerabilities. Example: showSharedVulnNotFound=true

showDynamic

Boolean

no

Filters to show only vulnerabilities with dynamic findings. Example: showdynamic=true

showStatic

Boolean

no

Filters to show only vulnerabilities with static findings. Example: showStatic=true

showDependency

Boolean

no

Filters to show only vulnerabilities with dependency findings. Example: showDependency=true

showMobile

Boolean

no

Filters to show only vulnerabilities with mobile findings. Example: showMobile=true

Sample Calls:

  • Requesting all vulnerabilities that are Open but not False Positive or Hidden (the default filter settings in the UI), with up to 200 returned:

curl --insecure -H 'Accept: application/json' -H 'Authorization: APIKey {apiKey}' -X POST --data 'showOpen=true&showNotFalsePositive=true&showNotHidden=false&numberVulnerabilities=200' http://localhost:8080/threadfix/rest/latest/vulnerabilities
  • Requesting all critical, high, and medium vulnerabilities with up to 200 returned:

curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'genericSeverities[0].intValue=3&genericSeverities[1].intValue=4&genericSeverities[2].intValue=5&numberVulnerabilities=200' http://localhost:8080/threadfix/rest/latest/vulnerabilities
  • Requesting up to 100 vulnerabilities for Application ID 2, with Custom CWE Text returned as well:

curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'applications[0].id=2&includeCustomText=true&numberVulnerabilities=100' http://localhost:8080/threadfix/rest/latest/vulnerabilities

Requesting up to 500 vulnerabilities for all the applications inside Team ID 2, with Custom CWE Text returned as well:

  • Requesting vulnerabilities which have had comments added less than 10 days ago:

-Requesting vulnerabilities which have comments added more than 5 hours ago:

-Requesting vulnerabilities by ID:

-Requesting vulnerabilities by user who added comments to it:

-Requesting vulnerabilities by CVE, with up to 200 vulnerabilities returned:

Sample Output:

Values for originalOpenTime and openTime are returned as Epoch time in milliseconds.

genericVulnerability field with includeCustomText set to true:


dependency fields for DependencyCheck vulnerability:

 

Return response for remoteProviderAppNativeName:

 

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.