Component Waivers REST API - v2

NEW IN RELEASE 76

The Component Waivers API focuses on existing policy waivers by component.  The waivers can be at any scope (app, org, root org, repository, or all repositories).  Waivers are listed for each stage to fully detail all the waivers for an applicationStages can carry duplicate waivers, but this accurately reflects every waiver in which a component is in one stage and not another.  For repository waivers the only applicable stage is the proxy stage.

All repository reports must be re-evaluated in order to include the most accurate policy waiver information used by the new API.

Requesting Component Waivers

To list the component waivers:

GET api/v2/reports/components/waivers

A sample request to list the component waivers is done with the following command:

curl -u admin:admin123 -X GET http://localhost:8070/api/v2/reports/components/waivers

NEW IN RELEASE 89

This API currently supports filtering by component format/ecosystem.  To retrieve waivers only for components in a particular ecosystem, for example maven, add a "format" query parameter to the URL as follows:

GET api/v2/reports/components/waivers?format=maven

Response Description

The server will respond with JSON that groups waivers by application components and repository components.  The waived application violations will be listed per stage and include the waiver details.  Similarily, the waived repository violations will be listed in the proxy stage and include waiver details.

Here is a brief outline of the response which describes the high-level object composition.  For the full response details continue to the Response Sample.

{
  "applicationWaivers" : [ {
    "application" : { },
    "stages" : [ {
      "stageId" : "build",
      "componentPolicyViolations" : [ {
        "component" : { },
        "waivedPolicyViolations" : [ {
          "policyWaiver" : {
            "policyWaiverId" : "e8f43ba30718456eadad6f0616f4c68e",
            "comment" : "temporary waiver",
            "isObsolete" : false,
            "createTime" : "2019-10-16T20:52:27.659+0000",
            "scopeOwnerType": "root_organization",
            "scopeOwnerId": "ROOT_ORGANIZATION_ID",
            "scopeOwnerName": "Root Organization"
            "hash":"1249e25aebb15358bedd",
            "policyId":"775a6e88799040c5bb2dd8f020124d07"
          }
        } ]
      } ]
    }, {
      "stageId" : "release",
      "componentPolicyViolations" : [ {
        "component" : { },
        "waivedPolicyViolations" : [ {
          "policyWaiver" : {
            "comment" : "The waiver cannot be found.  Please re-evaluate.",
            "isObsolete" : true
          }
        } ]
      } ]
    } ]
  } ],
  "repositoryWaivers" : [ {
    "repository" : { },
    "stages" : [ {
      "stageId" : "proxy",
      "componentPolicyViolations" : [ {
        "component" : { },
        "waivedPolicyViolations" : [ {
          "policyWaiver" : {
            "policyWaiverId" : "e8f43ba30718456eadad6f0616f4c68e",
            "comment" : "temporary waiver",
            "isObsolete" : false,
            "createTime" : "2019-10-16T20:52:27.659+0000",
            "scopeOwnerType": "root_organization",
            "scopeOwnerId": "ROOT_ORGANIZATION_ID",
            "scopeOwnerName": "Root Organization",
            "hash":"1249e25aebb15358bedd",
            "policyId":"775a6e88799040c5bb2dd8f020124d07"
          }
        } ]
      } ]
    } ]
  } ]
}
ItemDescription
applicationWaiversList of applications that have waived violations.
applicationApplication details.  Learn more about Applications
repositoryWaiversList of repositories that have waived violations
repositoryRepository details
stagesList of stages applicable for the violations of the repository or application
stageIdStage of the waived violations
componentPolicyViolationsList of components and their waived violations
componentComponent details.  Learn more about Components
waivedPolicyViolationsList of waived policy violation details that applied to a component.  Learn more about Policy Violations
policyWaiverWaiver details for a waived policy violation. 
policyWaiverIdThe ID of the policy waiver when there is an active waiver for the violation.

NEW IN RELEASE 79scopeOwnerType

The owner type of the policy waiver's scope.  Applies for waivers that are not obsolete.

NEW IN RELEASE 79

scopeOwnerId

The owner ID of the policy waiver's scope. Applies for waivers that are not obsolete.

NEW IN RELEASE 79

scopeOwnerName

The owner name of the policy waiver's scope. Applies for waivers that are not obsolete.

NEW IN RELEASE 92

hash

The hash of the component the policy waiver applies to or null if the policy waiver applies to any component.

NEW IN RELEASE 92

policyId
The ID of policy the policy waiver applies to.
isObsoleteIndicates true if a waived violation no longer has valid policy waiver information, such as when a waiver has been removed and the report has not been re-evaluated.
commentThe policy waiver comment when there is an active waiver for the violation.  If the waiver is obsolete then there will be a message indicating the waiver cannot be found and re-evaluation is necessary. This item has no character restrictions. Appropriate measures should be taken in order to prevent security issues such as Injection and Cross-Site Scripting (XSS).
createTimeThe date and time the policy waiver was created when there is an active waiver for the violation.  Note: This is not the time the violation was waived during an evaluation.

Sample Response

A sample response returned by the API:

{
  "applicationWaivers":[
    {
      "application":{
        "id":"b701251dcbcb4b1f98ea2f9185a40ac1",
        "publicId":"app1",
        "name":"app1",
        "organizationId":"819f4058db814e0d993eaa07e1ec751a",
        "contactUserName":null
      },
      "stages":[
        {
          "stageId":"build",
          "componentPolicyViolations":[
            {
              "component":{
                "packageUrl":"pkg:maven/org.apache.geronimo.framework/geronimo-security@2.1?type=jar",
                "hash":"848d7549ef7ec13ce546",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"geronimo-security",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"org.apache.geronimo.framework",
                    "version":"2.1"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"35210c5a2ef4454fb3995a5c24c1c021",
                  "policyName":"Security-Medium",
                  "policyViolationId":"e5202f65737145039cf533523ca53606",
                  "threatLevel":7,
                  "constraintViolations":[
                    {
                      "constraintId":"1dce26100b974d9c87ffdd89ec49a28d",
                      "constraintName":"Medium risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2009-0038 with severity 4.3."
                        },
                        {
                          "reason":"Found security vulnerability CVE-2009-0038 with severity 4.3."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"e8f43ba30718456eadad6f0616f4c68e",
                    "comment":"",
                    "createTime":"2019-10-10T19:01:35.544+0000",
                    "isObsolete":false,
                    "scopeOwnerType": "root_organization",
                    "scopeOwnerId": "ROOT_ORGANIZATION_ID",
                    "scopeOwnerName": "Root Organization",
                    "hash":"848d7549ef7ec13ce546",
                    "policyId":"35210c5a2ef4454fb3995a5c24c1c021"
                  }
                },
                {
                  "policyId":"f2dd37378e53444b8da9b33c260a154e",
                  "policyName":"Security-Critical",
                  "policyViolationId":"b586c84c810b4be1924a82cf65627084",
                  "threatLevel":10,
                  "constraintViolations":[
                    {
                      "constraintId":"77e6999b7b7042b98bd81230dbecbbab",
                      "constraintName":"Critical risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2008-5518 with severity 9.4."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "comment":"Related policy waiver not found. Please re-evaluate.",
                    "isObsolete":true
                  }
                }
              ]
            },
            {
              "component":{
                "packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
                "hash":"1249e25aebb15358bedd",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"tomcat-util",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"tomcat",
                    "version":"5.5.23"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"775a6e88799040c5bb2dd8f020124d07",
                  "policyName":"Security-High",
                  "policyViolationId":"6c003ff1e17e46cfb72e1fc4fbfa7844",
                  "threatLevel":9,
                  "constraintViolations":[
                    {
                      "constraintId":"5244a1a9d0374a459144e8d93d192051",
                      "constraintName":"High risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        },
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"4bf45f6c7ee54405b34ba1a23312c917",
                    "comment":"",
                    "createTime":"2019-10-09T15:21:05.518+0000",
                    "isObsolete":false,
                    "scopeOwnerType": "application",
                    "scopeOwnerId": "b701251dcbcb4b1f98ea2f9185a40ac1",
                    "scopeOwnerName": "app1"
                    "hash":"1249e25aebb15358bedd",
                    "policyId":"775a6e88799040c5bb2dd8f020124d07"
                  }
                }
              ]
            }
          ]
        },
        {
          "stageId":"release",
          "componentPolicyViolations":[
            {
              "component":{
                "packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
                "hash":"1249e25aebb15358bedd",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"tomcat-util",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"tomcat",
                    "version":"5.5.23"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"775a6e88799040c5bb2dd8f020124d07",
                  "policyName":"Security-High",
                  "policyViolationId":"96cdb0f78e5a439bb592030c243fd6c5",
                  "threatLevel":9,
                  "constraintViolations":[
                    {
                      "constraintId":"5244a1a9d0374a459144e8d93d192051",
                      "constraintName":"High risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        },
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"4bf45f6c7ee54405b34ba1a23312c917",
                    "comment":"",
                    "createTime":"2019-10-09T15:01:49.604+0000",
                    "isObsolete":false,
                    "scopeOwnerType": "application",
                    "scopeOwnerId": "b701251dcbcb4b1f98ea2f9185a40ac1",
                    "scopeOwnerName": "app1"
                    "hash":"1249e25aebb15358bedd",
                    "policyId":"775a6e88799040c5bb2dd8f020124d07"
                  }
                }
              ]
            }
          ]
        }
      ]
    },
    {
      "application":{
        "id":"0b6b13a749274eeba41853d042b6a6ca",
        "publicId":"test",
        "name":"test",
        "organizationId":"819f4058db814e0d993eaa07e1ec751a",
        "contactUserName":null
      },
      "stages":[
        {
          "stageId":"build",
          "componentPolicyViolations":[
            {
              "component":{
                "packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
                "hash":"1249e25aebb15358bedd",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"tomcat-util",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"tomcat",
                    "version":"5.5.23"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"775a6e88799040c5bb2dd8f020124d07",
                  "policyName":"Security-High",
                  "policyViolationId":"27729fd8605e4e80b5ff6e301202db2d",
                  "threatLevel":9,
                  "constraintViolations":[
                    {
                      "constraintId":"5244a1a9d0374a459144e8d93d192051",
                      "constraintName":"High risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        },
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"7ed1f091486c4c41aeedb9561de44547",
                    "comment":"",
                    "createTime":"2019-10-09T15:02:12.270+0000",
                    "isObsolete":false,
                    "scopeOwnerType": "organization",
                    "scopeOwnerId": "819f4058db814e0d993eaa07e1ec751a",
                    "scopeOwnerName": "org1"
                    "hash":"1249e25aebb15358bedd",
                    "policyId":"775a6e88799040c5bb2dd8f020124d07"
                  }
                }
              ]
            },
            {
              "component":{
                "packageUrl":"pkg:maven/ch.qos.logback/logback-access@0.6?type=jar",
                "hash":"47b6857af4a1cc50875a",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"logback-access",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"ch.qos.logback",
                    "version":"0.6"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"0ba8d544b320485c9e395c9b09ea8cdf",
                  "policyName":"Architecture-Quality",
                  "policyViolationId":"e5270ae8bcea407a80a99a58dddd0ceb",
                  "threatLevel":1,
                  "constraintViolations":[
                    {
                      "constraintId":"2bfb2100539b47bb90cb224471451b40",
                      "constraintName":"Version is old",
                      "reasons":[
                        {
                          "reason":"Age was 12 years, 10 months and 10 days"
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"5b2b1946d6904038bbb81bdd81c49f44",
                    "comment":"",
                    "createTime":"2019-10-09T15:02:12.270+0000",
                    "isObsolete":false,
                    "scopeOwnerType": "root_organization",
                    "scopeOwnerId": "ROOT_ORGANIZATION_ID",
                    "scopeOwnerName": "Root Organization"
                    "hash":"47b6857af4a1cc50875a",
                    "policyId":"0ba8d544b320485c9e395c9b09ea8cdf"
                  }
                },
                {
                  "policyId":"f2dd37378e53444b8da9b33c260a154e",
                  "policyName":"Security-Critical",
                  "policyViolationId":"3fc1317d3ab04ec4b1ec838a2e04cbc0",
                  "threatLevel":10,
                  "constraintViolations":[
                    {
                      "constraintId":"77e6999b7b7042b98bd81230dbecbbab",
                      "constraintName":"Critical risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2017-5929 with severity 9.8."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"2116a80930ad441f9ef811b66f85ebfa",
                    "comment":"",
                    "createTime":"2019-10-09T15:02:12.270+0000",
                    "isObsolete":false,
                    "scopeOwnerType": "root_organization",
                    "scopeOwnerId": "ROOT_ORGANIZATION_ID",
                    "scopeOwnerName": "Root Organization"
                    "hash":"47b6857af4a1cc50875a",
                    "policyId":"f2dd37378e53444b8da9b33c260a154e"
                  }
                }
              ]
            }
          ]
        }
      ]
    }
  ],
  "repositoryWaivers":[
    {
      "repository":{
        "repositoryId":"579729e6b3134c0bb40de1ac077288be",
        "publicId":"maven-central",
        "format":"maven2"
      },
      "stages":[
        {
          "stageId":"proxy",
          "componentPolicyViolations":[
            {
              "component":{
                "packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
                "hash":"1249e25aebb15358bedd",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"tomcat-util",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"tomcat",
                    "version":"5.5.23"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"775a6e88799040c5bb2dd8f020124d07",
                  "policyName":"Security-High",
                  "policyViolationId":"12ba38f6d38b4f2585c5f3415f094af4",
                  "threatLevel":9,
                  "constraintViolations":[
                    {
                      "constraintId":"5244a1a9d0374a459144e8d93d192051",
                      "constraintName":"High risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        },
                        {
                          "reason":"Found security vulnerability CVE-2017-5647 with severity 7.5."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "policyWaiverId":"c77807246ae0440a9770da06d8dcbbbf",
                    "comment":"",
                    "createTime":"2019-10-16T20:52:27.659+0000",
                    "isObsolete":false,
                    "scopeOwnerType": "root_organization",
                    "scopeOwnerId": "ROOT_ORGANIZATION_ID",
                    "scopeOwnerName": "Root Organization"
                    "hash":"1249e25aebb15358bedd",
                    "policyId":"775a6e88799040c5bb2dd8f020124d07"
                  }
                }
              ]
            }
          ]
        }
      ]
    },
    {
      "repository":{
        "repositoryId":"a5a4dbb21062447590c0ee6f10b42bc4",
        "publicId":"repo2",
        "format":"maven2"
      },
      "stages":[
        {
          "stageId":"proxy",
          "componentPolicyViolations":[
            {
              "component":{
                "packageUrl":"pkg:maven/tomcat/catalina@5.5.12?type=jar",
                "hash":"d62e5a9802baf4da2d9a",
                "componentIdentifier":{
                  "format":"maven",
                  "coordinates":{
                    "artifactId":"catalina",
                    "classifier":"",
                    "extension":"jar",
                    "groupId":"tomcat",
                    "version":"5.5.12"
                  }
                }
              },
              "waivedPolicyViolations":[
                {
                  "policyId":"775a6e88799040c5bb2dd8f020124d07",
                  "policyName":"Security-High",
                  "policyViolationId":"8b6595e781584040bdd0727ea86c8896",
                  "threatLevel":9,
                  "constraintViolations":[
                    {
                      "constraintId":"5244a1a9d0374a459144e8d93d192051",
                      "constraintName":"High risk CVSS score",
                      "reasons":[
                        {
                          "reason":"Found security vulnerability CVE-2016-6797 with severity 7.5."
                        },
                        {
                          "reason":"Found security vulnerability CVE-2016-6797 with severity 7.5."
                        }
                      ]
                    }
                  ],
                  "policyWaiver":{
                    "comment":"Related policy waiver not found. Please re-evaluate.",
                    "isObsolete":true
                  }
                }
              ]
            }
          ]
        }
      ]
    }
  ]
}

The returned component hash value is truncated and is meant to be used as an identifier that can be passed into subsequent REST API calls. It is not intended to be used as a checksum.