As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

/rest/applications/{appId}/addFinding


Descriptor

Value

HTTP Method

POST

Description

Creates a manual finding with the given properties.

Required Permission

Modify Vulnerabilities

Version Introduced2.3.0


Request Header Parameters

Parameter

Value

Required

Description

Accept

String

Yes

A value of ‘application/json’ must be provided.


Request POST Data Parameters

Parameter

Value

Required

Description

isStatic

Boolean

No

Whether the finding is static or dynamic.  Defaults to false (Dynamic).

vulnType

String

Yes

Name of the CWE vulnerability.

Enter None if the finding is not associated with a CWE.

longDescription

String

Yes

General description of the issue.

severity

Integer

Yes

Severity level from 1-5.

nativeId

String

No

Identifier for the vulnerability.

parameter

String

No*

Request parameter for vulnerability.

filePath

String

No*

(Static only) Location of source file.

column

Integer

No

(Static only) Column number for finding vulnerability source.

lineText

String

No

(Static only) Line text for finding vulnerability source.

lineNumber

Integer

No

(Static only) Line number for finding vulnerability source.

fullUrl

String

No

(Dynamic only) Absolute URL to the page with the vulnerability.

path

String

No

(Dynamic only) Relative path to the page with the vulnerability.

*Static manual findings require either parameter or filePath to be present


Sample Call:


Static Finding
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'isStatic=true&vulnType=Location&longDescription=This should be addressed.&severity=3&nativeId=24&parameter=store&filePath=C:\sampleCode\home&column=2&lineText=findStore()&lineNumber=234' http://localhost:8080/threadfix/rest/applications/1/addFinding


Dynamic Finding
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'isStatic=false&vulnType=Location&longDescription=This should be addressed.&severity=3&nativeId=24&parameter=store&fullUrl=www.samplewebsite.com/store/3&path=/store/3' http://localhost:8080/threadfix/rest/applications/1/addFinding


Sample Output:


Static Finding
{
    "message": "",
    "success": true,
    "responseCode": -1,
    "object": {
        "id": 39,
        "longDescription": "This should be addressed.",
        "attackString": null,
        "attackRequest": null,
        "attackResponse": null,
        "nativeId": "24",
        "displayId": null,
        "surfaceLocation": {
            "id": 39,
            "parameter": "store",
            "path": null
        },
        "sourceFileLocation": null,
        "dataFlowElements": [
            {
                "id": 1,
                "sourceFileName": "C:\\sampleCode\\home",
                "lineNumber": 234,
                "columnNumber": 2,
                "lineText": "findStore()"
            }
        ],
        "calculatedUrlPath": "",
        "calculatedFilePath": "C:\\sampleCode\\home",
        "dependency": null,
        "severity": "Medium",
        "vulnerabilityType": "Location"
    }
}



Dynamic Finding
{
    "message": "",
    "success": true,
    "responseCode": -1,
    "object": {
        "id": 40,
        "longDescription": "This should be addressed.",
        "attackString": null,
        "attackRequest": null,
        "attackResponse": null,
        "nativeId": "24",
        "displayId": null,
        "surfaceLocation": {
            "id": 40,
            "parameter": "store",
            "path": "/store/3"
        },
        "sourceFileLocation": null,
        "dataFlowElements": null,
        "calculatedUrlPath": "/store/3",
        "calculatedFilePath": "",
        "dependency": null,
        "severity": "Medium",
        "vulnerabilityType": "Location"
    }
}

  • No labels