Skip to main content

Policy Violation REST API

Use this REST API to access the policy violation data gathered during the evaluation of applications.

Permissions Required:

View IQ Elements

Methods Supported:

Method

Description

GET (all active policy violation details)

Retrieve the policy violation data for all active only violations, for the requested policy Id(s).

GET (with query parameter type )

Retrieve policy violation data including the type of the violation(active, waived or legacy) for the requested policy Id(s).

Pre-requisite: Get the policy metadata

To access policy violation information you need the identifier for the policy.

GET /api/v2/policies/

Example:

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policies'

The list of policies is returned in JSON format. The policy IDs will be unique to your instance.

{
    "policies": [
        {
            "id": "6984017845c645b0ad0c95401ad4f17d",
            "name": "My Application Policy",
            "ownerId": "36d7e629462a4038b581488c347959bc",
            "ownerType": "APPLICATION",
            "threatLevel": 5,
            "policyType": "quality"
        },
    ]
}

Item

Description

id

The internal id for the policy

name

This is the name of the policy

ownerId

The internal id for the organization or application where the policy was created

ownerType

This indicates whether the policy is for an organization or application.

threatLevel

This is the threat level that is set for the policy.

policyType

Based on the conditions used in the policy. Options are: security, license, quality, or other

GET all active violations of a policy

Using the policy ID from above, you can query the complete list of active violations for that policy.

GET /api/v2/policyViolations?p=policyID

Example:

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policyViolations?p=6984017845c645b0ad0c95401ad4f17d'

Parameters openTimeAfter and openTimeBefore are supported to filter the results.

Both are optional, and they can be used together or independently. The accepted format is YYYY-MM-DD .

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policyViolations?p=6984017845c645b0ad0c95401ad4f17d&openTimeAfter=2020-01-01&openTimeBefore=2020-06-31'

Sample response:

{
   "applicationViolations":[
      {
         "application":{
            "id":"529b7f71bb714eca8955e5d66687ae2c",
            "publicId":"MyAppID1",
            "name":"MyApplications",
            "organizationId":"36d7e629462a4038b581488c347959bc",
            "contactUserName":null
         },
         "policyViolations":[
            {
               "policyId":"6984017845c645b0ad0c95401ad4f17d",
               "policyName":"Security-High",
               "policyViolationId":"020613b2521b4aeb9ee0d8a0adfd6f2d",
               "stageId":"build",
               "reportId":"c0ddefc4512f42d0bcbe29029e2be117"
               "reportUrl":"ui/links/application/MyAppID1/report/c0ddef
               c4512f42d0bcbe29029e2be117",
               "openTime": "2020-04-27T13:37:57.264+0000",
               "threatLevel":9,
               "constraintViolations":[
                  {
                     "constraintId":"19011de290b147a38c820ad7bd5c653d",
                     "constraintName":"CVSS >=7 and <10",
                     "reasons":[
                        {
                           "reason":"Found 2 Security Vulnerabilities with Severity >= 7"
                        },
                        {
                           "reason":"Found 4 Security Vulnerabilities with Severity < 10"
                        },
                        {
                           "reason":"Found 4 Security Vulnerabilities with Status OPEN"
                        }
                     ]
                  }
               ],
               "component":{
                  "hash":"384faa82e193d4e4b054",
                  "componentIdentifier":{
                     "format":"maven",
                     "coordinates":{
                        "artifactId":"tomcat-util",
                        "classifier":"",
                        "extension":"jar",
                        "groupId":"tomcat",
                        "version":"5.5.23"
                     }
                  },
                  "packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
                  "proprietary":false
               }
            }
         ]
      }
   ]
}

GET all violations of a policy by specifying type

Using the policy ID(s) from above, you can specify the type of violations (active , legacy or waived).

Example 1:

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policyViolations?p=448e1122e9b148cdb71a2935967c657b&type=legacy'

Example 2:

If more than one type is specified, the request is considered as an OR operation. In the example below, the response will contain policy violations that are waived OR are legacy violations.

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policyViolations?p=448e1122e9b148cdb71a2935967c657b&type=legacy&type=waived'

Example 3:

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policyViolations?p=448e1122e9b148cdb71a2935967c657b&type=legacy&type=waived&type=active'

Sample Response

{
  "applicationViolations": [
      {
          "application": {
              "id": "0ed38f7107a242788b05b7a82a61d549",
              "publicId": "refactor-app",
              "name": "refactor-app",
              "organizationId": "3abf9898bfe4452ca38cc561122d776b",
              "contactUserName": null
          },
          "policyViolations": [
              {
                  "policyId": "448e1122e9b148cdb71a2935967c657b",
                  "policyName": "Security-Medium",
                  "policyViolationId": "5790f2e02d4f4dd38148047bde597824",
                  "openTime": "2025-02-12T17:25:15.179+0000",
                  "waiveTime": "2025-02-12T17:25:15.179+0000",
                  "fixTime": "2025-02-12T17:25:15.179+0000",
                  "legacyViolationTime": "2025-02-12T17:25:15.179+0000",
                  "threatLevel": 7,
                  "constraintViolations": [
                      {
                          "constraintId": "2b36001e89554960a44a2a3ddcb29ed6",
                          "constraintName": "Medium risk CVSS score",
                          "reasons": [
                              {
                                  "reason": "Found security vulnerability sonatype-2020-0103 with severity >= 4 (severity = 5.3)",
                                  "reference": {
                                      "type": "SECURITY_VULNERABILITY_REFID",
                                      "value": "sonatype-2020-0103"
                                  }
                              },
                              {
                                  "reason": "Found security vulnerability sonatype-2020-0103 with severity < 7 (severity = 5.3)",
                                  "reference": {
                                      "type": "SECURITY_VULNERABILITY_REFID",
                                      "value": "sonatype-2020-0103"
                                  }
                              }
                          ]
                      }
                  ],
                  "stageId": "build",
                  "reportId": "5d661036e325411dae640176f20e2a30",
                  "reportUrl": "ui/links/application/refactor-app/report/5d661036e325411dae640176f20e2a30",
                  "component": {
                      "packageUrl": "pkg:maven/io.netty/netty-codec-http@4.1.33.Final?type=jar",
                      "hash": "ad557dffc0777b1b2455",
                      "componentIdentifier": {
                          "format": "maven",
                          "coordinates": {
                              "artifactId": "netty-codec-http",
                              "classifier": "",
                              "extension": "jar",
                              "groupId": "io.netty",
                              "version": "4.1.33.Final"
                          }
                      },
                      "displayName": "io.netty : netty-codec-http : 4.1.33.Final",
                      "proprietary": false
                  },
                  "isWaived": true,
                  "isLegacy": false
              },
              {
                  "policyId": "448e1122e9b148cdb71a2935967c657b",
                  "policyName": "Security-Medium",
                  "policyViolationId": "93fa5486685a46218126a9c25afec2f8",
                  "openTime": "2025-02-06T17:40:57.474+0000",
                  "threatLevel": 7,
                  "constraintViolations": [
                      {
                          "constraintId": "2b36001e89554960a44a2a3ddcb29ed6",
                          "constraintName": "Medium risk CVSS score",
                          "reasons": [
                              {
                                  "reason": "Found security vulnerability CVE-2024-31033 with severity >= 4 (severity = 5.9)",
                                  "reference": {
                                      "type": "SECURITY_VULNERABILITY_REFID",
                                      "value": "CVE-2024-31033"
                                  }
                              },
                              {
                                  "reason": "Found security vulnerability CVE-2024-31033 with severity < 7 (severity = 5.9)",
                                  "reference": {
                                      "type": "SECURITY_VULNERABILITY_REFID",
                                      "value": "CVE-2024-31033"
                                  }
                              }
                          ]
                      }
                  ],
                  "stageId": "build",
                  "reportId": "5d661036e325411dae640176f20e2a30",
                  "reportUrl": "ui/links/application/refactor-app/report/5d661036e325411dae640176f20e2a30",
                  "component": {
                      "packageUrl": "pkg:maven/io.jsonwebtoken/jjwt@0.9.1?type=jar",
                      "hash": "54d2abfc3e63a28824d3",
                      "componentIdentifier": {
                          "format": "maven",
                          "coordinates": {
                              "artifactId": "jjwt",
                              "classifier": "",
                              "extension": "jar",
                              "groupId": "io.jsonwebtoken",
                              "version": "0.9.1"
                          }
                      },
                      "displayName": "io.jsonwebtoken : jjwt : 0.9.1",
                      "proprietary": false
                  },
                  "isWaived": false,
                  "isLegacy": true
              },
                {
                  "policyId": "448e1122e9b148cdb71a2935967c657b",
                  "policyName": "Security-Medium",
                  "policyViolationId": "2c5bacbb8a0146e7baa641b470939817",
                  "openTime": "2025-02-06T17:40:57.474+0000",
                  "threatLevel": 7,
                  "constraintViolations": [
                      {
                          "constraintId": "2b36001e89554960a44a2a3ddcb29ed6",
                          "constraintName": "Medium risk CVSS score",
                          "reasons": [
                              {
                                  "reason": "Found security vulnerability sonatype-2018-0601 with severity >= 4 (severity = 6.1)",
                                  "reference": {
                                      "type": "SECURITY_VULNERABILITY_REFID",
                                      "value": "sonatype-2018-0601"
                                  }
                              },
                              {
                                  "reason": "Found security vulnerability sonatype-2018-0601 with severity < 7 (severity = 6.1)",
                                  "reference": {
                                      "type": "SECURITY_VULNERABILITY_REFID",
                                      "value": "sonatype-2018-0601"
                                  }
                              }
                          ]
                      }
                  ],
                  "stageId": "build",
                  "reportId": "5d661036e325411dae640176f20e2a30",
                  "reportUrl": "ui/links/application/refactor-app/report/5d661036e325411dae640176f20e2a30",
                  "component": {
                      "packageUrl": "pkg:maven/org.asciidoctor/asciidoctorj@2.5.13?type=jar",
                      "hash": "03f9fba7ef863a251600",
                      "componentIdentifier": {
                          "format": "maven",
                          "coordinates": {
                              "artifactId": "asciidoctorj",
                              "classifier": "",
                              "extension": "jar",
                              "groupId": "org.asciidoctor",
                              "version": "2.5.13"
                          }
                      },
                      "displayName": "org.asciidoctor : asciidoctorj : 2.5.13",
                      "proprietary": false
                  },
                  "isWaived": true,
                  "isLegacy": true
              },
          ]
      }
  ]
}

Response Description

Response field

Description

application

Category containing specific information about the application.

id

The internal id.

publicId

The application ID. In the IQ Server GUI this is represented by the "Application" field.

name

The name of the application. In the IQ Server GUI this corresponds to the "Application Name" field.

organizationId

The internal id for the organization that the application resides in, and is not visible within the IQ Server GUI.

contactUserName

This is typically the person in charge of the application. In the IQ Server GUI, it corresponds to the contact field for the application.

policyViolations

A subcategory of the application, and provides specific information about the wpolicy and corresponding violations that were found.

policyId

The internal id for the policy.

policyName

The name of the policy, and is visible in the IQ Server GUI.

policyViolationId

The internal id for the policy violation.

stageId

Stage in which the policy violation occurred in. It is displayed in various places within the IQ Server GUI, including the associated Application Composition Report.

reportId

This is the ID of the Application Composition Report associated with the evaluation that found the listed policy violations.

reportUrl

This is the URL to the Application Composition Report associated with the evaluation that found the listed policy violations.

openTime

This is the date and time that the violation was first seen.

waiveTime

This is the date and time when the violation was waived.

legacyViolationTime

This is the date and time when the violation was assigned as legacy violation.

fixTime

This is the fix time of the violation

threatLevel

This the threat level of the policy that was violated.

constraintViolations

This is a subcategory for Policy Violations, and includes all information related to specific constraint that was violated.

constraintId

This is the internal id for the constraint, and is not visible in the IQ Server GUI, or in the associated Application Composition Report.

constraintName

This is the name of the constraint and is visible in the policy area where the policy was created (i.e either the organization or application). It is also displayed in the Application Composition Report and various tools that connect to the IQ Server.

reasons

This is a subcategory of Constraint Violations, and gives the reason why the violation occurred.

reason

The reason is formed by the value(s) for the condition(s) violated. Conditions are visible where the policy was created (i.e either the organization or application). It is also displayed in the Application Composition Report and various tools that connect to the IQ Server.

component

Component is a subcategory of Policy Violations, and includes information about the component(s) causing the violation to occur.

hash

Truncated (20 chars) SHA1 hash value of the component used as an internal identifier.

componentIdentifier

This is simply a container for the component information. It will always include the format and the coordinates.

format

This is the format the component is in, and will determine what type of coordinate information is displayed.

coordinates

This will depend on the format. An example would be Maven, which uses a G : A : E : C : V (Group, Artifact Id, Extension, Classifier, and Version) for the component. In this example, the fields provided are: component.

isWaived

true indicates that the violation is waived.

isLegacy

true indicates that the violation is a legacy violation.