Component Waivers REST API - v2

NEW IN RELEASE 76

The Component Waivers API focuses on existing policy waivers by component.  The waivers can be at any scope (app, org, root org, repository, or all repositories).  Waivers are listed for each stage to fully detail all the waivers for an applicationStages can carry duplicate waivers, but this accurately reflects every waiver in which a component is in one stage and not another.  For repository waivers the only applicable stage is the proxy stage.

All repository reports must be re-evaluated in order to include the most accurate policy waiver information used by the new API.

Requesting Component Waivers

To list the component waivers:

GET api/v2/reports/components/waivers

A sample request to list the component waivers is done with the following command:

curl -u admin:admin123 -X GET http://localhost:8070/api/v2/reports/components/waivers

Response Description

The server will respond with JSON that groups waivers by application components and repository components.  The waived application violations will be listed per stage and include the waiver details.  Similarily, the waived repository violations will be listed in the proxy stage and include waiver details.

Here is a brief outline of the response which describes the high-level object composition.  For the full response details continue to the Response Sample.

{
  "applicationWaivers" : [ {
    "application" : { },
    "stages" : [ {
      "stageId" : "build",
      "componentPolicyViolations" : [ {
        "component" : { },
        "waivedPolicyViolations" : [ {
          "policyWaiver" : {
            "policyWaiverId" : "e8f43ba30718456eadad6f0616f4c68e",
            "comment" : "temporary waiver",
            "isObsolete" : false,
            "createTime" : "2019-10-16T20:52:27.659+0000"
          }
        } ]
      } ]
    }, {
      "stageId" : "release",
      "componentPolicyViolations" : [ {
        "component" : { },
        "waivedPolicyViolations" : [ {
          "policyWaiver" : {
            "comment" : "The waiver cannot be found.  Please re-evaluate.",
            "isObsolete" : true
          }
        } ]
      } ]
    } ]
  } ],
  "repositoryWaivers" : [ {
    "repository" : { },
    "stages" : [ {
      "stageId" : "proxy",
      "componentPolicyViolations" : [ {
        "component" : { },
        "waivedPolicyViolations" : [ {
          "policyWaiver" : {
            "policyWaiverId" : "e8f43ba30718456eadad6f0616f4c68e",
            "comment" : "temporary waiver",
            "isObsolete" : false,
            "createTime" : "2019-10-16T20:52:27.659+0000"
          }
        } ]
      } ]
    } ]
  } ]
}
ItemDescription
applicationWaiversList of applications that have waived violations.
applicationApplication details.  Learn more about Applications
repositoryWaiversList of repositories that have waived violations
repositoryRepository details
stagesList of stages applicable for the violations of the repository or application
stageIdStage of the waived violations
componentPolicyViolationsList of components and their waived violations
componentComponent details.  Learn more about Components
waivedPolicyViolationsList of waived policy violation details that applied to a component.  Learn more about Policy Violations
policyWaiverWaiver details for a waived policy violation. 
policyWaiverIdID of the policy waiver when there is an active waiver for the violation.
isObsoleteIndicates true if a waived violation no longer has valid policy waiver information, such as when a waiver has been removed and the report has not been re-evaluated.
commentThe policy waiver comment when there is an active waiver for the violation.  If the waiver is obsolete then there will be a message indicating the waiver cannot be found and re-evaluation is necessary
createTimeThe date and time the policy waiver was created when there is an active waiver for the violation.  Note: This is not the time the violation was waived during an evaluation.

Sample Response

A sample response returned by the API:

{
  "applicationWaivers":[
    {
      "application":{
        "id":"b701251dcbcb4b1f98ea2f9185a40ac1",
        "publicId":"app1",
        "name":"app1",
        "organizationId":"819f4058db814e0d993eaa07e1ec751a",
        "contactUserName":null
      },
      "stages":[
        {
          "stageId":"build",
          "componentPolicyViolations":[
            {
              "component":{
                "packageUrl":"pkg:maven/org.apache.geronimo.framework/geronimo-security@2.1?type=jar",
                "hash":"848d7549ef7ec13ce546",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"geronimo-security",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"org.apache.geronimo.framework",
                    "version":"2.1"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"35210c5a2ef4454fb3995a5c24c1c021",
                  "policyName":"Security-Medium",
                  "policyViolationId":"e5202f65737145039cf533523ca53606",
                  "threatLevel":7,
                  "constraintViolations":[
                    {
                      "constraintId":"1dce26100b974d9c87ffdd89ec49a28d",
                      "constraintName":"Medium risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2009-0038 with severity 4.3."
                        },
                        {
                          "reason":"Found security vulnerability CVE-2009-0038 with severity 4.3."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"e8f43ba30718456eadad6f0616f4c68e",
                    "comment":"",
                    "createTime":"2019-10-10T19:01:35.544+0000",
                    "isObsolete":false
                  }
                },
                {
                  "policyId":"f2dd37378e53444b8da9b33c260a154e",
                  "policyName":"Security-Critical",
                  "policyViolationId":"b586c84c810b4be1924a82cf65627084",
                  "threatLevel":10,
                  "constraintViolations":[
                    {
                      "constraintId":"77e6999b7b7042b98bd81230dbecbbab",
                      "constraintName":"Critical risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2008-5518 with severity 9.4."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "comment":"Related policy waiver not found. Please re-evaluate.",
                    "isObsolete":true
                  }
                }
              ]
            },
            {
              "component":{
                "packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
                "hash":"1249e25aebb15358bedd",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"tomcat-util",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"tomcat",
                    "version":"5.5.23"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"775a6e88799040c5bb2dd8f020124d07",
                  "policyName":"Security-High",
                  "policyViolationId":"6c003ff1e17e46cfb72e1fc4fbfa7844",
                  "threatLevel":9,
                  "constraintViolations":[
                    {
                      "constraintId":"5244a1a9d0374a459144e8d93d192051",
                      "constraintName":"High risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        },
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"4bf45f6c7ee54405b34ba1a23312c917",
                    "comment":"",
                    "createTime":"2019-10-09T15:21:05.518+0000",
                    "isObsolete":false
                  }
                }
              ]
            }
          ]
        },
        {
          "stageId":"release",
          "componentPolicyViolations":[
            {
              "component":{
                "packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
                "hash":"1249e25aebb15358bedd",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"tomcat-util",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"tomcat",
                    "version":"5.5.23"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"775a6e88799040c5bb2dd8f020124d07",
                  "policyName":"Security-High",
                  "policyViolationId":"96cdb0f78e5a439bb592030c243fd6c5",
                  "threatLevel":9,
                  "constraintViolations":[
                    {
                      "constraintId":"5244a1a9d0374a459144e8d93d192051",
                      "constraintName":"High risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        },
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"4bf45f6c7ee54405b34ba1a23312c917",
                    "comment":"",
                    "createTime":"2019-10-09T15:01:49.604+0000",
                    "isObsolete":false
                  }
                }
              ]
            }
          ]
        }
      ]
    },
    {
      "application":{
        "id":"0b6b13a749274eeba41853d042b6a6ca",
        "publicId":"test",
        "name":"test",
        "organizationId":"819f4058db814e0d993eaa07e1ec751a",
        "contactUserName":null
      },
      "stages":[
        {
          "stageId":"build",
          "componentPolicyViolations":[
            {
              "component":{
                "packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
                "hash":"1249e25aebb15358bedd",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"tomcat-util",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"tomcat",
                    "version":"5.5.23"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"775a6e88799040c5bb2dd8f020124d07",
                  "policyName":"Security-High",
                  "policyViolationId":"27729fd8605e4e80b5ff6e301202db2d",
                  "threatLevel":9,
                  "constraintViolations":[
                    {
                      "constraintId":"5244a1a9d0374a459144e8d93d192051",
                      "constraintName":"High risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        },
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"7ed1f091486c4c41aeedb9561de44547",
                    "comment":"",
                    "createTime":"2019-10-09T15:02:12.270+0000",
                    "isObsolete":false
                  }
                }
              ]
            },
            {
              "component":{
                "packageUrl":"pkg:maven/ch.qos.logback/logback-access@0.6?type=jar",
                "hash":"47b6857af4a1cc50875a",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"logback-access",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"ch.qos.logback",
                    "version":"0.6"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"0ba8d544b320485c9e395c9b09ea8cdf",
                  "policyName":"Architecture-Quality",
                  "policyViolationId":"e5270ae8bcea407a80a99a58dddd0ceb",
                  "threatLevel":1,
                  "constraintViolations":[
                    {
                      "constraintId":"2bfb2100539b47bb90cb224471451b40",
                      "constraintName":"Version is old",
                      "reasons":[
                        {
                          "reason":"Age was 12 years, 10 months and 10 days"
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"5b2b1946d6904038bbb81bdd81c49f44",
                    "comment":"",
                    "createTime":"2019-10-09T15:02:12.270+0000",
                    "isObsolete":false
                  }
                },
                {
                  "policyId":"f2dd37378e53444b8da9b33c260a154e",
                  "policyName":"Security-Critical",
                  "policyViolationId":"3fc1317d3ab04ec4b1ec838a2e04cbc0",
                  "threatLevel":10,
                  "constraintViolations":[
                    {
                      "constraintId":"77e6999b7b7042b98bd81230dbecbbab",
                      "constraintName":"Critical risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2017-5929 with severity 9.8."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"2116a80930ad441f9ef811b66f85ebfa",
                    "comment":"",
                    "createTime":"2019-10-09T15:02:12.270+0000",
                    "isObsolete":false
                  }
                }
              ]
            }
          ]
        }
      ]
    }
  ],
  "repositoryWaivers":[
    {
      "repository":{
        "repositoryId":"579729e6b3134c0bb40de1ac077288be",
        "publicId":"maven-central",
        "format":"maven2"
      },
      "stages":[
        {
          "stageId":"proxy",
          "componentPolicyViolations":[
            {
              "component":{
                "packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
                "hash":"1249e25aebb15358bedd",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"tomcat-util",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"tomcat",
                    "version":"5.5.23"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"775a6e88799040c5bb2dd8f020124d07",
                  "policyName":"Security-High",
                  "policyViolationId":"12ba38f6d38b4f2585c5f3415f094af4",
                  "threatLevel":9,
                  "constraintViolations":[
                    {
                      "constraintId":"5244a1a9d0374a459144e8d93d192051",
                      "constraintName":"High risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        },
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"c77807246ae0440a9770da06d8dcbbbf",
                    "comment":"",
                    "createTime":"2019-10-16T20:52:27.659+0000",
                    "isObsolete":false
                  }
                }
              ]
            }
          ]
        }
      ]
    },
    {
      "repository":{
        "repositoryId":"a5a4dbb21062447590c0ee6f10b42bc4",
        "publicId":"repo2",
        "format":"maven2"
      },
      "stages":[
        {
          "stageId":"proxy",
          "componentPolicyViolations":[
            {
              "component":{
                "packageUrl":"pkg:maven/tomcat/catalina@5.5.12?type=jar",
                "hash":"d62e5a9802baf4da2d9a",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"catalina",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"tomcat",
                    "version":"5.5.12"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"775a6e88799040c5bb2dd8f020124d07",
                  "policyName":"Security-High",
                  "policyViolationId":"8b6595e781584040bdd0727ea86c8896",
                  "threatLevel":9,
                  "constraintViolations":[
                    {
                      "constraintId":"5244a1a9d0374a459144e8d93d192051",
                      "constraintName":"High risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2016-6797 with severity 7.5."
                        },
                        {
                          "reason":"Found security vulnerability CVE-2016-6797 with severity 7.5."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "comment":"Related policy waiver not found. Please re-evaluate.",
                    "isObsolete":true
                  }
                }
              ]
            }
          ]
        }
      ]
    }
  ]
}

The returned component hash value is truncated and is meant to be used as an identifier that can be passed into subsequent REST API calls. It is not intended to be used as a checksum.