As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Vulnerability Search - API
/rest/{version}/vulnerabilities
Descriptor | Value |
---|---|
HTTP Method | POST |
Description | Returns a filtered list of vulnerabilities. |
Required Permission | Read Access (Any Role) |
Version Introduced | 2.3.0 |
Changes in 2.4.0 | Adds new fields to dependency Check Vulnerabilities |
Changes in 2.5.1 | Adds "displayName" field to "genericSeverity" in response. This field is present when using any previous REST version as well. Adds "findingRecommendation" and "findingDescription" fields in response. These are only present when using version 2.5.1 or later. |
Changes in 2.5.2 | Adds "vulnerabilityComments.comment" and "vulnerabilityComments.tags" fields in response. These fields are present when using any previous REST version as well. Adds "vulnerabilityComments.user" field in response. This field is only present when using version 2.5.2 or later. Adds ability to get vulnerability information by entering a serialized list of vulnerability IDs. |
Changes in 2.7 | Adds ability to get vulnerability information by entering a serialized list of CVE IDs. Adds 8 new parameters to help query by vulnerability status: showNotFalsePositive, showNotHidden, showExploitable, showNotExploitable, showContested, showNotContested, showVerified, and showNotVerified. These parameters only work if you use the 2.7 REST version or later. Starting with REST version 2.7 the status query logic is altered; we only filter vulnerabilities based on the parameters you provide. If you want to see open vulnerabilities without False Positives and Hidden vulns returned, you will need to specify "showOpen=true", "showNotFalsePositive=true", and "showNotHidden=true" |
Changes in 2.7.1 | Added support for CSVv1, CSVv2 and SSVL exports. Also added 7 new parameters to allow you to filter report data in the same way you would in the ThreadFix UI for CSV and SSVL exports. |
Changes in 2.8 | Updated CSV export parameter arguments. CSVv1 support has been deprecated. Also added 3 new parameters to allow for filtering on static, dynamic and dependency findings. |
Changes in 2.8.2 | Added remoteProviderEntityID and remoteProviderEntityName fields in response. These fields are present when using any previous REST version as well. |
Changes in 2.8.3 | Added urlReference field in response. This field was already displayed on UI vulnerability details page |
Changes in 2.8.4 | Added remoteProviderAppNativeName. This field corresponds with the "Origin Remote Provider Application" in the Finding Details page. |
Request Header Parameters
Parameter | Value | Required | Description |
---|---|---|---|
Accept | String | Yes | A value of ‘application/json’ must be provided. |
Request POST Data Parameters
Parameter | Value Type | Req. | Description |
---|---|---|---|
genericVulnerabilities | List | no | Serialized list of generic vulnerability (CWE) IDs. Example: genericVulnerabilities[0].id=201 |
teams | List | no | Serialized list of team IDs. Example: teams[0].id=1 |
applications | List | no | Serialized list of application IDs. Example: applications[0].id=2 |
channelTypes | List | no | Serialized list of scanner IDs. Example: channelTypes[0].id=<channelTypeId> (e.g., channelTypes[0].id=49) Note: To find a scanner’s channelTypeId, run the following query:
|
genericSeverities | List | no | Serialized list of generic severity values. Severity Values:
Example: genericSeverities[0].intValue=4&genericSeverities[1].intValue=5 Retrieves Critical and High vulnerabilities. The 0 and 1 indicate position within array since we are requesting more than one vuln severity type. If you're only requesting one severity, it would be 0. |
numberVulnerabilities | Integer | no | Number of vulnerabilities to return. By default this method will only return up to 10 vulnerabilities. |
page | Integer | no | Can be used to return a different page of vulnerabilities, with each page of vulnerabilities containing {numberVulnerabilities} vulnerabilities. |
parameter | String | no | Filter to only return vulnerabilities containing this string in their parameter. |
path | String | no | Filter to only return vulnerabilities containing this String in their path. |
startDate | Date | no | Lower bound on vulnerabilities' “Last open date.” Format: yyyy-MM-dd or Epoch time (in milliseconds). |
endDate | Date | no | Upper bound on vulnerabilities' “Last open date.” Format: yyyy-MM-dd or Epoch time (in milliseconds). |
showOpen | Boolean | no | Flag to show only open vulnerabilities. |
showClosed | Boolean | no | Flag to show only closed vulnerabilities. |
showFalsePositive | Boolean | no | Flag to show only false positive vulnerabilities. |
showNotFalsePositive | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are not false positive. |
showHidden | Boolean | no | Flag to show hidden vulnerabilities. |
showNotHidden | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are not hidden. |
showExploitable | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are exploitable. |
showNotExploitable | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are not exploitable. |
showContested | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are contested. |
showNotContested | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are not contested. |
showVerified | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are verified. |
showNotVerified | Boolean | no | Only available using REST version 2.7 or later. Flag to show only vulnerabilities that are not verified. |
numberMerged | Integer | no | Number of vulnerabilities merged from different scans. |
showDefectPresent | Boolean | no | Flag to show vulnerabilities with defects. |
showDefectNotPresent | Boolean | no | Flag to show vulnerabilities without defects. |
showDefectOpen | Boolean | no | Flag to show vulnerabilities with open defects. |
showDefectClosed | Boolean | no | Flag to show vulnerabilities with closed defects. |
showInconsistentClosedDefectNeedsScan | Boolean | no | Flag to show vulnerabilities that have closed defects but have not yet been closed by a scan. |
showInconsistentClosedDefectOpenInScan | Boolean | no | Flag to show vulnerabilities that have closed defects but were found open in a scan since the defect was closed. |
showInconsistentOpenDefect | Boolean | no | Flag to show vulnerabilities that have open defects but have been closed by scans. |
includeCustomText | Boolean | no | Set to true to include Custom CWE Text in the response for each vulnerability. |
showCommentPresent | Boolean | no | Flag to show vulnerabilities with comments. |
commentTags | List | no | Serialized list of comment tags. Example: commentTags[0].id=1 |
daysOldModifier | String | no | Should only be value of "less" or "more". Used in conjunction with daysOld parameter. |
daysOld | Integer | no | Number of days in age of the vulnerability. Valid values are "10", "30", etc. |
daysOldCommentsModifier | String | no | Should only be value of "less" or "more". Used in conjunction with daysOldComments parameter. |
daysOldComments | Integer | no | Number of days in age of the comment. Valid values are "10", "30", etc. |
hoursOldCommentsModifier | String | no | Should only be value of "less" or "more". Used in conjunction with hoursOldComments parameter. |
hoursOldComments | Integer | no | Number of hours since comment was added to vulnerability. Valid values are "1", "10", etc. |
commentedByUser | Integer | no | Filter vulnerabilities by ID of user that added comments to it. |
vulnerabilities | List | no | Serialized list of vulnerability IDs. Example: vulnerabilities[0].id=1 |
cvesList | List | no | Serialized list of CVE IDs. Example: cvesList[0].CVE=CVE-2016-6316 |
exportType | String | no | Type of export being performed. Valid values are "csv" and "ssvl". Not case sensitive. |
tags | List | no | Filters to show vulnerabilities from Applications that are tagged with these application tags. To pass in multiple tags, pass in multiple times and increment in the index in the array, like how the teams and applications parameters work. Example: tags[1].id=1,tags[0].id=3 |
vulnTags | List | no | Filters to show vulnerabilities tagged with these vulnerability tags. Pass in multiple tags in the same way. Example: vulnTags[0].id=5 |
defectId | String | no | Filters to show vulnerabilities with this defect attached. Example: defectId=THREAD-17420 |
nativeId | String | no | Filters to show vulnerabilities with findings that have this native ID. Example: nativeId=a0f486f7f658d7c6ecf364c7354a06be |
assignToUser | String | no | Filters to show vulnerabilities that have a finding with this value in their assignToUser column (from Checkmarx, for example). Does not need to be an exact string, it will return all findings that contain this string in their assignToUser column. Example: assignToUser=admin |
showSharedVulnFound | Boolean | no | Filters to show only vulnerabilities that have been identified as Shared Vulnerabilities. Example: showSharedVulnFound=true |
showSharedVulnNotFound | Boolean | no | Filters to show only vulnerabilities that have not been identified as Shared Vulnerabilities. Example: showSharedVulnNotFound=true |
showDynamic | Boolean | no | Filters to show only vulnerabilities with dynamic findings. Example: showdynamic=true |
showStatic | Boolean | no | Filters to show only vulnerabilities with static findings. Example: showStatic=true |
showDependency | Boolean | no | Filters to show only vulnerabilities with dependency findings. Example: showDependency=true |
showMobile | Boolean | no | Filters to show only vulnerabilities with mobile findings. Example: showMobile=true |
Sample Calls:
Requesting all vulnerabilities that are Open but not False Positive or Hidden (the default filter settings in the UI), with up to 200 returned:
curl --insecure -H 'Accept: application/json' -H 'Authorization: APIKey {apiKey}' -X POST --data 'showOpen=true&showNotFalsePositive=true&showNotHidden=false&numberVulnerabilities=200' http://localhost:8080/threadfix/rest/latest/vulnerabilities
Requesting all critical, high, and medium vulnerabilities with up to 200 returned:
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'genericSeverities[0].intValue=3&genericSeverities[1].intValue=4&genericSeverities[2].intValue=5&numberVulnerabilities=200' http://localhost:8080/threadfix/rest/latest/vulnerabilities
Requesting up to 100 vulnerabilities for Application ID 2, with Custom CWE Text returned as well:
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'applications[0].id=2&includeCustomText=true&numberVulnerabilities=100' http://localhost:8080/threadfix/rest/latest/vulnerabilities
Requesting up to 500 vulnerabilities for all the applications inside Team ID 2, with Custom CWE Text returned as well:
Requesting vulnerabilities which have had comments added less than 10 days ago:
-Requesting vulnerabilities which have comments added more than 5 hours ago:
-Requesting vulnerabilities by ID:
-Requesting vulnerabilities by user who added comments to it:
-Requesting vulnerabilities by CVE, with up to 200 vulnerabilities returned:
Sample Output:
Values for originalOpenTime and openTime are returned as Epoch time in milliseconds.
genericVulnerability field with includeCustomText set to true:
dependency fields for DependencyCheck vulnerability:
Return response for remoteProviderAppNativeName:
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.