Exclude Auto Policy Waiver REST API
Use this REST API to manage exclusion of Automated Waivers on security policy violations.
Automated Waivers, when configured at the organization or application level are applied to security policy violations that meet the configuration criteria. You can exclude or remove an Automated Waiver on a specific security policy violation, even if it is configured at the organization or application level.
Permisisons Required: Waive Policy Violations
Methods Supported:
GET
POST
DELETE
GET Existing Exclusions on Automated Waivers
GET /api/v2/autoPolicyWaiverExclusions/{ownerType: application|organization}/{ownerId}/{autoPolicyWaiverId}Use this method to retrieve existing exclusion or removals of Automated Waivers that were created on policy violations, by providing the autoPolicyWaiverId.
Input Parameter | Required | Description |
|---|---|---|
ownerType | Yes | Values can be application or organization. |
ownerId | Yes | The identifier for application or organization specified as ownerType. |
autoPolicyWaiverId | Yes | The identifier for a specific Automated Waiver. |
page | No default value: 1 | Page number to retrieve. |
pageSize | No default value: 10 | Number of results per page. |
Example:
To retrieve all Exclusions of the Automated Waiver with autoPolicyWaiverId waiver-789 for the applicationId 8a57c492dab64068ba6aa0c4a724e0db on page number one with 10 results per page:
curl -X GET -u admin:admin123 http://localhost:8070/api/v2/autoPolicyWaiverExclusions/application/8a57c492dab64068ba6aa0c4a724e0db/waiver-789?page=1&pageSize=10 \ --header 'Accept: application/json'
Response:
A successful response (response code 200) contains a list of Exclusions (autoPolicyWaiverExclusionId).
POST New Exclusion on Automated Waiver
POST /api/v2/autoPolicyWaiverExclusions/{ownerType: application|organization}/{ownerId}Use this method to revoke/remove Automated Waiver from a policy violation. Successful execution of this request will result in creating an Exclusion.
An Exclusion will exclude this policy violation from Automated Waiver, even if the parent application or organization has been configured for Automated Waivers.
The request body consists of the following input parameters:
Input Parameter | Required | Description |
|---|---|---|
applicationPublicId | Yes | The name of the application implicated by the policy violation. |
ownerId | Yes | The internal identifier for the application |
policyViolationId | Yes | The identifier of the policy violation that was auto-waived. |
autoPolicyWaiverId | The identifier for the auto-waiver that was applied to the policy violation. | |
scanId | The scanId associated with the evaluation. | |
matchStrategy | Yes | An enum with one of the following values: EXACT_COMPONENT, ALL_VERSIONS, POLICY_VIOLATION |
Example:
To create an exclusion on an Automated Waiver (with autoPolicyWaiverId waiver-789), created on a policy violation (with policyViolationId policy-567, corresponding to the evaluation (with scanID scan-001) of the application (with applicationPublicID app-123.
curl -X POST -u admin:admin123 http://localhost:8070/api/v2/autoPolicyWaiverExclusions/application/8a57c492dab64068ba6aa0c4a724e0db \
--header 'Content-Type: application/json' \
--data '{
"applicationPublicId": "app-123",
"ownerId": "8a57c492dab64068ba6aa0c4a724e0db",
"policyViolationId": "policy-567",
"autoPolicyWaiverId": "waiver-789",
"scanId": "scan-001",
"matchStrategy": "POLICY_VIOLATION"
}'Response:
An Exclusion for the Automated Waiver is created. The response includes details on the policy violation on which the Automated Waiver was applied.
{
"autoPolicyWaiverExclusionId": "a6afe407442e479091dcd317ea30d550",
"ownerId": "5b6c0dde3b0e415487dd0c92220d105c",
"creatorId": "admin",
"creatorName": "Admin BuiltIn",
"createTime": "2024-12-26T16:45:59.614+0000",
"autoPolicyWaiverId": "36e5c493f6ee4aacb568766395372ef8",
"hash": "47e0b80099d6109ef199",
"scanId": "0647de7c9fa84959b8a832ee4a2524f9",
"componentMatchStrategy": "POLICY_VIOLATION",
"policyViolationId": "80de81ee5f064cc4aee492ad5a8c971d",
"threatLevel": 7,
"policyName": "Security-Medium",
"componentDisplayName": "com.nulab-inc : zxcvbn : 1.9.0",
"componentIdentifier": {
"format": "maven",
"coordinates": {
"artifactId": "zxcvbn",
"classifier": "",
"extension": "jar",
"groupId": "com.nulab-inc",
"version": "1.9.0"
}
},
"vulnerabilityIdentifiers": "sonatype-2023-2654",
"policyId": "9f7aaee3df89410eb2ba8c07c4965b35",
"constraintFacts": [
{
"constraintId": "1ec7c74b2b65414d85bf1767f9efc8fd",
"constraintName": "Medium risk CVSS score",
"operatorName": "AND",
"conditionFacts": [
{
"conditionTypeId": "SecurityVulnerabilitySeverity",
"conditionIndex": 0,
"summary": "Security Vulnerability Severity >= 4",
"reason": "Found security vulnerability sonatype-2023-2654 with severity >= 4 (severity = 5.3)",
"reference": {
"value": "sonatype-2023-2654",
"type": "SECURITY_VULNERABILITY_REFID"
},
"triggerJson": "{\"conditionIndex\":0,\"trigger\":{\"refId\":\"sonatype-2023-2654\",\"severity\":5.3}}"
},
{
"conditionTypeId": "SecurityVulnerabilitySeverity",
"conditionIndex": 1,
"summary": "Security Vulnerability Severity < 7",
"reason": "Found security vulnerability sonatype-2023-2654 with severity < 7 (severity = 5.3)",
"reference": {
"value": "sonatype-2023-2654",
"type": "SECURITY_VULNERABILITY_REFID"
},
"triggerJson": "{\"conditionIndex\":1,\"trigger\":{\"refId\":\"sonatype-2023-2654\",\"severity\":5.3}}"
}
]
}
]
}DELETE Exclusion of Automated Waiver
DELETE /api/v2/autoPolicyWaiverExclusions/{ownerType: application|organization}/{ownerId}/{autoPolicyWaiverId}/{autoPolicyWaiverExclusionId}Use this method to delete an Exclusion of Automated Waiver on a policy violation.
When an Exclusion is deleted, the policy violation is eligible for Automated Waivers again. Automated Waiver will be applied to this policy violation after a re-evaluation.
Input Parameter | Required | Description |
|---|---|---|
ownerType | Yes | Values can be application or organization. |
ownerId | Yes | The identifier for application or organization specified as ownerType. |
autoPolicyWaiverId | Yes | The identifier for the Automated Waiver that was revoked. |
autoPolicyWaiverExclusionId | Yes | The ID of the exclusion to delete (from the response of the GET method) |
Example:
curl -X DELETE -u admin:admin123 http://localhost:8070/api/v2/autoPolicyWaiverExclusions/application/8a57c492dab64068ba6aa0c4a724e0db/waiver-789/exclusion-001
Response:
A response code 204 indicates that the Exclusion is deleted. The policy violation is once again eligible for Automated Waiver. The Automated Waiver will be applied after the next evaluation.