Vulnerability Analysis Details REST API
This experimental Vulnerability Analysis Details API allows you to maintain VEX information, by adding, updating or removing the analysis tag from a report’s vulnerability data. It accepts a POST request with a set of Cyclone DX formatted analysis details, with a reference vulnerability ID to be updated (replaced or added). It also accepts a DELETE post for a specific vulnerability ID to have the analysis elements removed.
User permissions are required to invoke this API call
Edit IQ Elements
Methods supported:
POST to add or update one or more vulnerabilities of a given report
DELETE to remove details from a single vulnerability
Add or update vulnerability analysis details
Analysis details can be updated or added by making an authenticated HTTP POST request:
POST /api/experimental/vex/application/{applicationInternalId}/report/{scanId}
With body payload, a json array of vulnerabilities analysis details:
{ "vulnerabilities": [
{
"id": "...<vulnerability id>...",
"analysis": {
"state": "not_affected",
"justification": "code_not_reachable",
"response": [
"will_not_fix",
"update"
],
"detail": "An optional explanation of why the application is not affected by the vulnerable component."
}
}]
}Responses
200 Ok: with the updates results as the body
404 Not Found: if the application or scan Ids are not found
The success response will contain a body with the results of applying each of the given vulnerabilities updates, of the format:
{
"vulnerability Id" : "Update result",
...
}Updates results can be:
ADDED : the vulnerability exists in the report and did not have any previous details.
UPDATED: the vulnerability had existing analysis details and those were replaced with new ones
NOT_FOUND: the given vulnerability was not found in the report and no analysis details were added.
Example:
curl --location 'http://testIQserver/api/experimental/vex/application/a21d75b2079f47c58df99ccfb70054b0/report/37245ca1cee9483ba48b087c6205f47e' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4xMjM=' \
--header 'Cookie: CLM-CSRF-TOKEN=dd815142-f85b-4db5-9ef8-4f6621679a01' \
--data '{
"vulnerabilities": [
{
"id": "CVE-2021-41495",
"analysis": {
"state": "not_affected",
"justification": "code_not_reachable",
"response": ["will_not_fix", "update" ],
"detail": "simply for test."
}
},
{
"id": "CVE-2021-41496",
"analysis": {
"state": "in_triage",
"justification": "requires_configuration",
"response": ["will_not_fix", "workaround_available"],
"detail": "An optional explanation of why the application is not affected by the vulnerable component."
}
}
]
}'Response:
{
"CVE-2021-41496": "ADDED",
"CVE-2021-41495": "UPDATED"
}Remove vulnerability analysis details
DELETE /api/experimental/vex/application/{appInternalId}/report/{scanId}/{vulnerabilityId}Responses
200 Ok: with the removed vulnerability analysis details
204 No Content: if the given vulnerability does not contain any analysis details
404 Not Found: if the report or vulnerability are not found
Example:
curl --location --request DELETE 'http://testIQserver/api/experimental/vex/application/a21d75b2079f47c58df99ccfb70054b0/report/37245ca1cee9483ba48b087c6205f47e/CVE-2021-41496' \ --header 'Authorization: Basic YWRtaW46YWRtaW4xMjM=' \ --header 'Cookie: CLM-CSRF-TOKEN=dd815142-f85b-4db5-9ef8-4f6621679a01'
Response:
{
"id": "CVE-2021-41496",
"analysis": {
"state": "not_affected",
"justification": "code_not_reachable",
"response": [
"will_not_fix",
"update"
],
"detail": "An optional explanation ..."
}
}