As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Add Manual Finding - API

Deprecated as of version 2.8. For all manual vulnerability submissions in ThreadFix 2.8 or later please refer to the Pen Test feature.

/rest/{version}/applications/{appId}/addFinding


Descriptor

Value

HTTP Method

POST

Description

Creates a manual finding with the given properties.

Required Permission

Modify Vulnerabilities

Version Introduced2.3.0


Request Header Parameters

Parameter

Value

Required

Description

Accept

String

Yes

A value of ‘application/json’ must be provided.


Request POST Data Parameters

Parameter

Value

Required

Description

isStatic

Boolean

No

Whether the finding is static or dynamic.  Defaults to false (Dynamic).

vulnType

String

Yes

Name of the CWE vulnerability.

Enter None if the finding is not associated with a CWE.

longDescription

String

Yes

General description of the issue.

severity

Integer

Yes

Severity level from 1-5.

nativeId

String

No

Identifier for the vulnerability.

parameter

String

No*

Request parameter for vulnerability.

filePath

String

No*

(Static only) Location of source file.

column

Integer

No

(Static only) Column number for finding vulnerability source.

lineText

String

No

(Static only) Line text for finding vulnerability source.

lineNumber

Integer

No

(Static only) Line number for finding vulnerability source.

fullUrl

String

No

(Dynamic only) Absolute URL to the page with the vulnerability.

path

String

No

(Dynamic only) Relative path to the page with the vulnerability.

*Static manual findings require either parameter or filePath to be present


Sample Call:


Static Finding
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'isStatic=true&vulnType=Location&longDescription=This should be addressed.&severity=3&nativeId=24&parameter=store&filePath=C:\sampleCode\home&column=2&lineText=findStore()&lineNumber=234' http://localhost:8080/threadfix/rest/latest/applications/1/addFinding


Dynamic Finding
curl --insecure -H 'Accept: application/json' -H "Authorization: APIKEY {apiKey}" -X POST --data 'isStatic=false&vulnType=Location&longDescription=This should be addressed.&severity=3&nativeId=24&parameter=store&fullUrl=www.samplewebsite.com/store/3&path=/store/3' http://localhost:8080/threadfix/rest/latest/applications/1/addFinding


Sample Output:


Static Finding
{
    "message": "",
    "success": true,
    "responseCode": -1,
    "object": {
        "id": 39,
        "longDescription": "This should be addressed.",
        "attackString": null,
        "attackRequest": null,
        "attackResponse": null,
        "nativeId": "24",
        "displayId": null,
        "surfaceLocation": {
            "id": 39,
            "parameter": "store",
            "path": null
        },
        "sourceFileLocation": null,
        "dataFlowElements": [
            {
                "id": 1,
                "sourceFileName": "C:\\sampleCode\\home",
                "lineNumber": 234,
                "columnNumber": 2,
                "lineText": "findStore()"
            }
        ],
        "calculatedUrlPath": "",
        "calculatedFilePath": "C:\\sampleCode\\home",
        "dependency": null,
        "severity": "Medium",
        "vulnerabilityType": "Location"
    }
}



Dynamic Finding
{
    "message": "",
    "success": true,
    "responseCode": -1,
    "object": {
        "id": 40,
        "longDescription": "This should be addressed.",
        "attackString": null,
        "attackRequest": null,
        "attackResponse": null,
        "nativeId": "24",
        "displayId": null,
        "surfaceLocation": {
            "id": 40,
            "parameter": "store",
            "path": "/store/3"
        },
        "sourceFileLocation": null,
        "dataFlowElements": null,
        "calculatedUrlPath": "/store/3",
        "calculatedFilePath": "",
        "dependency": null,
        "severity": "Medium",
        "vulnerabilityType": "Location"
    }
}

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.