Skip to main content

Vulnerability Details REST API

The Vulnerability Details REST API allows you to retrieve vulnerability details by passing a CVE ID/Sonatype vulnerability identifier or a component identifier. The response will include the root causes of the vulnerability when you pass the component identifier as a parameter in the GET request.

User Permissions Required to Invoke this API call

  • View IQ Elements

Methods supported:

  1. GET (As an authenticated request)

  2. GET (As an anonymous, non-authenticated request)

GET vulnerability details by passing a CVE or Sonatype vulnerability identifier

Vulnerability details can be retrieved by making an authenticated HTTP GET request:

GET /api/v2/vulnerabilities/{vulnerabilityId}

Where {vulnerabilityId}is a CVE or a Sonatype vulnerability identifier.

Example:

curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'

where CVE-2017-5929 is the vulnerabilityID.

Response:

On successful execution, the response JSON returns the vulnerability details corresponding to the vulnerabilityID provided.

{
    "identifier": "CVE-2017-5929",
    "vulnIds": ["CVE-2017-5929"],
    "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929",
    "source": {
        "shortName": "CVE",
        "longName": "National Vulnerability Database"
    },
    "mainSeverity": {
        "source": "cve_cvss_3",
        "score": 9.8,
        "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "severityScores": [
        {
            "source": "cve_cvss_2",
            "score": 7.5
        },
        {
            "source": "sonatype_cvss_3",
            "score": 9.8
        }
    ],
    "weakness": {
        "cweSource": "CVE",
        "cweIds": [
            {
                "id": "XXX",
                "uri": "https://cwe.mitre.org/data/definitions/XXX.html"
            }
        ]
    },
    "categories": [
        "category1",
		"category2"
    ],
    "description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.",
    "explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand.  When data is received from the `Socket`, to be logged, it is deserialized into Java objects.  An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).",
    "detectionMarkdown": "Detection instructions will be provided here.",
    "recommendationMarkdown": "Recommendations will be provided here",
    "advisories": [
        {
            "referenceType": "PROJECT",
            "url": "http://project-url"
        }
    ],
	"researchType": "DEEP_DIVE",
	"isAdvancedVulnerabilityDetection": false,
 	"customData": {
      	"remediation": "Please install latest version of the app",
      	"cweId": "some-cwe-ids",
      	"cvssVector": "some/vector",
      	"cvssSeverity": 7.6
    },
    "detectionType": null
}

In the JSON response above,

  • mainSeverity is an official CVE severity for a given vulnerability, (if the CVE severity score does not exist it represents Sonatype severity provided by Sonatype researchers.)

  • severityScores are all other known severity scores not mentioned in mainSeverity.

  • vulnerabilityLink is the link to the official CVE description page.

  • vulnIds is an array containing a list of related vulnerability IDs.

  • customData retrieves vulnerability attributes that are customized by users, for a given vulnerability, under the requested scope. The JSON response includes the "customData" field if customized vulnerability attributes are found under the given scope.

  • detectionType is a string with possible values PRIMARY, SECONDARY, AST , UNSHADER, OTHER , or null (if no component identifier is provided.) It indicates the type of vulnerability detection system used to obtain the vulnerability data.

Definitions of the detectionType values:

PRIMARY: This vulnerability data has been investigated by the researcher to explicitly implicate components referenced in the feed or as a result of their independent research.

SECONDARY: This component has been implicated by our automated systems because they share vulnerable code with components that were implicated by our PRIMARY systems.

AST: This vulnerability has been discovered as part of Application Security Testing (AST) and includes common issues such as code injection, authentication flaws, and data leakage.

UNSHADER: This vulnerability has been discovered by the Shaded Vulnerability Detection algorithm.

Get vulnerability details by passing a component identifier

Vulnerability details can be retrieved by an authenticated HTTP GET request and passing a component identifier as a query parameter. In addition to the vulnerability details, this GET request will also retrieve the root causes of that vulnerability.

Example:

curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2022-22815?componentIdentifier=%7B%22format%22%3A%22pypi%22%2C%22coordinates%22%3A%7B%22extension%22%3A%22whl%22%2C%22name%22%3A%22Pillow%22%2C%22qualifier%22%3A%22cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64%22%2C%22version%22%3A%228.3.2%22%7D%7D'

Response:

{
    "identifier": "CVE-2022-22815",
    "vulnIds": [
        "CVE-2022-22815"
    ],
    "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22815",
    "source": {
        "shortName": "CVE",
        "longName": "National Vulnerability Database"
    },
    "mainSeverity": {
        "source": "cve_cvss_3",
        "score": 9.8,
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "severityScores": [
        {
            "source": "cve_cvss_2",
            "score": 7.5
        },
        {
            "source": "sonatype_cvss_3",
            "score": 9.8
        }
    ],
    "weakness": {
        "cweSource": "CVE",
        "cweIds": [
            {
                "id": "665",
                "uri": "https://cwe.mitre.org/data/definitions/665.html"
            }
        ]
    },
    "categories": [
        "data"
    ],
    "description": "path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.",
    "explanationMarkdown": "The `Pillow` package is vulnerable due to Improper Initialization. The `alloc_array()` and `path_getbbox()` functions in the `path.c` file do not properly initialize coordinates before using them to construct path objects. A remote attacker can supply specially-crafted input that exploits the aforementioned issue to gain unauthorized access to memory, cause an application crash, or other unexpected behavior.",
    "componentExplanationMarkdown": "",
    "detectionMarkdown": "The application is vulnerable by using this component.",
    "componentDetectionMarkdown": "",
    "recommendationMarkdown": "We recommend upgrading to a version of this component that is not vulnerable to this specific issue.\n\nNote: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.",
    "componentRecommendationMarkdown": "",
    "rootCauses": [
        {
            "listOfPaths": [
                "Pillow-8.3.2.tar.gz",
                "Pillow-8.3.2/src/path.c"
            ],
            "versionRange": "[5.0.0 , 9.0.0)"
        }
    ],
    "advisories": [
        {
            "referenceType": "PROJECT",
            "url": "https://github.com/python-pillow/Pillow/pull/5920"
        },
        {
            "referenceType": "THIRD_PARTY",
            "url": "https://access.redhat.com/security/cve/cve-2022-22815"
        }
    ],
    "vulnerableVersionRanges": [
        "[8.3.2,9.0.0)"
    ],
	"researchType": "DEEP_DIVE",
	"isAdvancedVulnerabilityDetection": false,
 	"customData": {
      	"remediation": "some-string",
      	"cweId": "some-cwe-ids",
      	"cvssVector": "some/vector",
      	"cvssSeverity": 7.6
    },
    "detectionType": "PRIMARY"
}

In the above JSON return field, vulnerableVersionRanges contains a complete list of component version ranges that are vulnerable. Ranges can be inclusive, denoted via a bracket, ( '[', ']' ), or exclusive, denoted via a parenthesis, ( '(', ')' )

GET vulnerability details using anonymous, non-authenticated requests

The response for anonymous, non-authenticated requests retrieves limited vulnerability details.

Example:

curl 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'

Response:

{
    "identifier": "CVE-2017-5929",
    "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929",
    "source": {
        "shortName": "CVE",
        "longName": "National Vulnerability Database"
    },
    "mainSeverity": {
        "source": "cve_cvss_3",
        "score": 9.8,
        "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "severityScores": [
        {
            "source": "cve_cvss_2",
            "score": 7.5
        },
        {
            "source": "sonatype_cvss_3",
            "score": 9.8
        }
    ],
    "weakness": null,
    "categories": null,
    "description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.",
    "explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand.  When data is received from the `Socket`, to be logged, it is deserialized into Java objects.  An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).",
    "detectionMarkdown": null,
    "recommendationMarkdown": null,
    "advisories": null,
	"researchType": "DEEP_DIVE",
	"isAdvancedVulnerabilityDetection": false,
	"detectionType": null
}