Skip to main content

Policy Violation REST API

Use this REST API to access the policy violation data gathered during the evaluation of applications.

The data returned by the REST API will not contain the violation data for a policy if it has been waived (or assigned as legacy violations.) You can use this to validate if you have successfully applied the necessary waivers/legacy violations.

GET

Used to retrieve policy information, such as a list of policy ids as well as a list of violations based on a specific Policy ID, or list of IDs.

Get the policy metadata

To access policy violation information you need the identifier for the policy.

GET /api/v2/policies/

Example:

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policies'

The list of policies is returned in JSON format. The policy IDs will be unique to your instance.

{
    "policies": [
        {
            "id": "6984017845c645b0ad0c95401ad4f17d",
            "name": "My Application Policy",
            "ownerId": "36d7e629462a4038b581488c347959bc",
            "ownerType": "APPLICATION",
            "threatLevel": 5,
            "policyType": "quality"
        },
    ]
}

Item

Description

id

The internal id for the policy

name

This is the name of the policy

ownerId

The internal id for the organization or application where the policy was created

ownerType

This indicates whether the policy is for an organization or application.

threatLevel

This is the threat level that is set for the policy.

policyType

Based on the conditions used in the policy. Options are: security, license, quality, or other

Get all violations of a policy

Using the policy ID from above, you can query the complete list of violations for that policy.

GET /api/v2/policyViolations?p=policyID

Example:

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policyViolations?p=6984017845c645b0ad0c95401ad4f17d'

Optional parameters openTimeAfter and openTimeBefore are supported to filter the results.

Both are optional, and they can be used together or independently. The accepted format is YYYY-MM-DD .

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policyViolations?p=6984017845c645b0ad0c95401ad4f17d&openTimeAfter=2020-01-01&openTimeBefore=2020-06-31'

Successful response:

{
   "applicationViolations":[
      {
         "application":{
            "id":"529b7f71bb714eca8955e5d66687ae2c",
            "publicId":"MyAppID1",
            "name":"MyApplications",
            "organizationId":"36d7e629462a4038b581488c347959bc",
            "contactUserName":null
         },
         "policyViolations":[
            {
               "policyId":"6984017845c645b0ad0c95401ad4f17d",
               "policyName":"Security-High",
               "policyViolationId":"020613b2521b4aeb9ee0d8a0adfd6f2d",
               "stageId":"build",
               "reportId":"c0ddefc4512f42d0bcbe29029e2be117"
               "reportUrl":"ui/links/application/MyAppID1/report/c0ddef
               c4512f42d0bcbe29029e2be117",
               "openTime": "2020-04-27T13:37:57.264+0000",
               "threatLevel":9,
               "constraintViolations":[
                  {
                     "constraintId":"19011de290b147a38c820ad7bd5c653d",
                     "constraintName":"CVSS >=7 and <10",
                     "reasons":[
                        {
                           "reason":"Found 2 Security Vulnerabilities with Severity >= 7"
                        },
                        {
                           "reason":"Found 4 Security Vulnerabilities with Severity < 10"
                        },
                        {
                           "reason":"Found 4 Security Vulnerabilities with Status OPEN"
                        }
                     ]
                  }
               ],
               "component":{
                  "hash":"384faa82e193d4e4b054",
                  "componentIdentifier":{
                     "format":"maven",
                     "coordinates":{
                        "artifactId":"tomcat-util",
                        "classifier":"",
                        "extension":"jar",
                        "groupId":"tomcat",
                        "version":"5.5.23"
                     }
                  },
                  "packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
                  "proprietary":false
               }
            }
         ]
      }
   ]
}

Item

Descrption

application

Category containing specific information about the application.

id

The internal id.

publicId

The application ID. In the IQ Server GUI this is represented by the "Application" field.

name

The name of the application. In the IQ Server GUI this corresponds to the "Application Name" field.

organizationId

The internal id for the organization that the application resides in, and is not visible within the IQ Server GUI.

contactUserName

This is typically the person in charge of the application. In the IQ Server GUI, it corresponds to the contact field for the application.

policyViolations

A subcategory of the application, and provides specific information about the policy and corresponding violations that were found.

policyId

The internal id for the policy.

policyName

The name of the policy, and is visible in the IQ Server GUI.

policyViolationId

The internal id for the policy violation.

stageId

Stage in which the policy violation occurred in. It is displayed in various places within the IQ Server GUI, including the associated Application Composition Report.

reportId

This is the ID of the Application Composition Report associated with the evaluation that found the listed policy violations.

reportUrl

This is the URL to the Application Composition Report associated with the evaluation that found the listed policy violations.

openTime

This is the date and time that the violation was first seen.

threatLevel

This the threat level of the policy that was violated.

constraintViolations

This is a subcategory for Policy Violations, and includes all information related to specific constraint that was violated.

constraintId

This is the internal id for the constraint, and is not visible in the IQ Server GUI, or in the associated Application Composition Report.

constraintName

This is the name of the constraint and is visible in the policy area where the policy was created (i.e either the organization or application). It is also displayed in the Application Composition Report and various tools that connect to the IQ Server.

reasons

This is a subcategory of Constraint Violations, and gives the reason why the violation occurred.

reason

The reason is formed by the value(s) for the condition(s) violated. Conditions are visible where the policy was created (i.e either the organization or application). It is also displayed in the Application Composition Report and various tools that connect to the IQ Server.

component

Component is a subcategory of Policy Violations, and includes information about the component(s) causing the violation to occur.

hash

Truncated (20 chars) SHA1 hash value of the component used as an internal identifier.

componentIdentifier

This is simply a container for the component information. It will always include the format and the coordinates.

format

This is the format the component is in, and will determine what type of coordinate information is displayed.

coordinates

This will depend on the format. An example would be Maven, which uses a G : A : E : C : V (Group, Artifact Id, Extension, Classifier, and Version) for the component. In this example, the fields provided are: component.