Policy Violation REST API
Use this REST API to access unfixed policy violation data gathered during the evaluation of applications.
Note
The Policy Violations REST API only retrieves non-fixed violations.
Permissions Required:
View IQ Elements
Methods Supported:
Method | Description |
|---|---|
GET (all active (non-fixed) policy violation details) | Retrieve the policy violation data for all active only violations, for the requested policy Id(s). Note that you cannot retrieve fixed policy violations. |
GET (with query parameter | Retrieve policy violation data including the type of the violation (active, waived or legacy) for the requested policy Id(s). Note that you cannot retrieved fixed policy violations. |
Pre-requisite: Get the policy metadata
To access policy violation information you need the identifier for the policy.
GET /api/v2/policies/
Example:
curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policies'
The list of policies is returned in JSON format. The policy IDs will be unique to your instance.
{
"policies": [
{
"id": "6984017845c645b0ad0c95401ad4f17d",
"name": "My Application Policy",
"ownerId": "36d7e629462a4038b581488c347959bc",
"ownerType": "APPLICATION",
"threatLevel": 5,
"policyType": "quality"
},
]
}Item | Description |
|---|---|
id | The internal id for the policy. |
name | This is the name of the policy. |
ownerId | The internal id for the organization or application where the policy was created. |
ownerType | This indicates whether the policy is for an organization or application. |
threatLevel | This is the threat level that is set for the policy. |
policyType | Based on the conditions used in the policy. Options are: security, license, quality, or other. |
GET all active violations of a policy
Using the policy ID from above, you can query the complete list of active, non-fixed violations for that policy.
GET /api/v2/policyViolations?p=policyID
Example:
curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policyViolations?p=6984017845c645b0ad0c95401ad4f17d'
Parameters openTimeAfter and openTimeBefore are supported to filter the results.
Both are optional, and they can be used together or independently. The accepted format is YYYY-MM-DD .
curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policyViolations?p=6984017845c645b0ad0c95401ad4f17d&openTimeAfter=2020-01-01&openTimeBefore=2020-06-31'
Sample response:
{
"applicationViolations":[
{
"application":{
"id":"529b7f71bb714eca8955e5d66687ae2c",
"publicId":"MyAppID1",
"name":"MyApplications",
"organizationId":"36d7e629462a4038b581488c347959bc",
"contactUserName":null
},
"policyViolations":[
{
"policyId":"6984017845c645b0ad0c95401ad4f17d",
"policyName":"Security-High",
"policyViolationId":"020613b2521b4aeb9ee0d8a0adfd6f2d",
"stageId":"build",
"reportId":"c0ddefc4512f42d0bcbe29029e2be117"
"reportUrl":"ui/links/application/MyAppID1/report/c0ddef
c4512f42d0bcbe29029e2be117",
"openTime": "2020-04-27T13:37:57.264+0000",
"threatLevel":9,
"constraintViolations":[
{
"constraintId":"19011de290b147a38c820ad7bd5c653d",
"constraintName":"CVSS >=7 and <10",
"reasons":[
{
"reason":"Found 2 Security Vulnerabilities with Severity >= 7"
},
{
"reason":"Found 4 Security Vulnerabilities with Severity < 10"
},
{
"reason":"Found 4 Security Vulnerabilities with Status OPEN"
}
]
}
],
"component":{
"hash":"384faa82e193d4e4b054",
"componentIdentifier":{
"format":"maven",
"coordinates":{
"artifactId":"tomcat-util",
"classifier":"",
"extension":"jar",
"groupId":"tomcat",
"version":"5.5.23"
}
},
"packageUrl":"pkg:maven/tomcat/tomcat-util@5.5.23?type=jar",
"proprietary":false
}
}
]
}
]
}GET all violations of a policy by specifying type
Using the policy ID(s) from above, you can specify the type of violations (active , legacy or waived).
Example 1:
curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policyViolations?p=448e1122e9b148cdb71a2935967c657b&type=legacy'
Example 2:
If more than one type is specified, the request is considered as an OR operation. In the example below, the response will contain policy violations that are waived OR are legacy violations.
curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policyViolations?p=448e1122e9b148cdb71a2935967c657b&type=legacy&type=waived'
Example 3:
curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/policyViolations?p=448e1122e9b148cdb71a2935967c657b&type=legacy&type=waived&type=active'
Sample Response
{
"applicationViolations": [
{
"application": {
"id": "0ed38f7107a242788b05b7a82a61d549",
"publicId": "refactor-app",
"name": "refactor-app",
"organizationId": "3abf9898bfe4452ca38cc561122d776b",
"contactUserName": null
},
"policyViolations": [
{
"policyId": "448e1122e9b148cdb71a2935967c657b",
"policyName": "Security-Medium",
"policyViolationId": "5790f2e02d4f4dd38148047bde597824",
"openTime": "2025-02-12T17:25:15.179+0000",
"waiveTime": "2025-02-12T17:25:15.179+0000",
"fixTime": "2025-02-12T17:25:15.179+0000",
"legacyViolationTime": "2025-02-12T17:25:15.179+0000",
"threatLevel": 7,
"constraintViolations": [
{
"constraintId": "2b36001e89554960a44a2a3ddcb29ed6",
"constraintName": "Medium risk CVSS score",
"reasons": [
{
"reason": "Found security vulnerability sonatype-2020-0103 with severity >= 4 (severity = 5.3)",
"reference": {
"type": "SECURITY_VULNERABILITY_REFID",
"value": "sonatype-2020-0103"
}
},
{
"reason": "Found security vulnerability sonatype-2020-0103 with severity < 7 (severity = 5.3)",
"reference": {
"type": "SECURITY_VULNERABILITY_REFID",
"value": "sonatype-2020-0103"
}
}
]
}
],
"stageId": "build",
"reportId": "5d661036e325411dae640176f20e2a30",
"reportUrl": "ui/links/application/refactor-app/report/5d661036e325411dae640176f20e2a30",
"component": {
"packageUrl": "pkg:maven/io.netty/netty-codec-http@4.1.33.Final?type=jar",
"hash": "ad557dffc0777b1b2455",
"componentIdentifier": {
"format": "maven",
"coordinates": {
"artifactId": "netty-codec-http",
"classifier": "",
"extension": "jar",
"groupId": "io.netty",
"version": "4.1.33.Final"
}
},
"displayName": "io.netty : netty-codec-http : 4.1.33.Final",
"proprietary": false
},
"isWaived": true,
"isLegacy": false
},
{
"policyId": "448e1122e9b148cdb71a2935967c657b",
"policyName": "Security-Medium",
"policyViolationId": "93fa5486685a46218126a9c25afec2f8",
"openTime": "2025-02-06T17:40:57.474+0000",
"threatLevel": 7,
"constraintViolations": [
{
"constraintId": "2b36001e89554960a44a2a3ddcb29ed6",
"constraintName": "Medium risk CVSS score",
"reasons": [
{
"reason": "Found security vulnerability CVE-2024-31033 with severity >= 4 (severity = 5.9)",
"reference": {
"type": "SECURITY_VULNERABILITY_REFID",
"value": "CVE-2024-31033"
}
},
{
"reason": "Found security vulnerability CVE-2024-31033 with severity < 7 (severity = 5.9)",
"reference": {
"type": "SECURITY_VULNERABILITY_REFID",
"value": "CVE-2024-31033"
}
}
]
}
],
"stageId": "build",
"reportId": "5d661036e325411dae640176f20e2a30",
"reportUrl": "ui/links/application/refactor-app/report/5d661036e325411dae640176f20e2a30",
"component": {
"packageUrl": "pkg:maven/io.jsonwebtoken/jjwt@0.9.1?type=jar",
"hash": "54d2abfc3e63a28824d3",
"componentIdentifier": {
"format": "maven",
"coordinates": {
"artifactId": "jjwt",
"classifier": "",
"extension": "jar",
"groupId": "io.jsonwebtoken",
"version": "0.9.1"
}
},
"displayName": "io.jsonwebtoken : jjwt : 0.9.1",
"proprietary": false
},
"isWaived": false,
"isLegacy": true
},
{
"policyId": "448e1122e9b148cdb71a2935967c657b",
"policyName": "Security-Medium",
"policyViolationId": "2c5bacbb8a0146e7baa641b470939817",
"openTime": "2025-02-06T17:40:57.474+0000",
"threatLevel": 7,
"constraintViolations": [
{
"constraintId": "2b36001e89554960a44a2a3ddcb29ed6",
"constraintName": "Medium risk CVSS score",
"reasons": [
{
"reason": "Found security vulnerability sonatype-2018-0601 with severity >= 4 (severity = 6.1)",
"reference": {
"type": "SECURITY_VULNERABILITY_REFID",
"value": "sonatype-2018-0601"
}
},
{
"reason": "Found security vulnerability sonatype-2018-0601 with severity < 7 (severity = 6.1)",
"reference": {
"type": "SECURITY_VULNERABILITY_REFID",
"value": "sonatype-2018-0601"
}
}
]
}
],
"stageId": "build",
"reportId": "5d661036e325411dae640176f20e2a30",
"reportUrl": "ui/links/application/refactor-app/report/5d661036e325411dae640176f20e2a30",
"component": {
"packageUrl": "pkg:maven/org.asciidoctor/asciidoctorj@2.5.13?type=jar",
"hash": "03f9fba7ef863a251600",
"componentIdentifier": {
"format": "maven",
"coordinates": {
"artifactId": "asciidoctorj",
"classifier": "",
"extension": "jar",
"groupId": "org.asciidoctor",
"version": "2.5.13"
}
},
"displayName": "org.asciidoctor : asciidoctorj : 2.5.13",
"proprietary": false
},
"isWaived": true,
"isLegacy": true
},
]
}
]
}Response Description
Response field | Description |
|---|---|
application | Category containing specific information about the application. |
id | The internal id. |
publicId | The application ID. In the IQ Server GUI this is represented by the "Application" field. |
name | The name of the application. In the IQ Server GUI this corresponds to the "Application Name" field. |
organizationId | The internal id for the organization that the application resides in, and is not visible within the IQ Server GUI. |
contactUserName | This is typically the person in charge of the application. In the IQ Server GUI, it corresponds to the contact field for the application. |
policyViolations | A subcategory of the application, and provides specific information about the wpolicy and corresponding violations that were found. |
policyId | The internal id for the policy. |
policyName | The name of the policy, and is visible in the IQ Server GUI. |
policyViolationId | The internal id for the policy violation. |
stageId | Stage in which the policy violation occurred in. It is displayed in various places within the IQ Server GUI, including the associated Application Composition Report. |
reportId | This is the ID of the Application Composition Report associated with the evaluation that found the listed policy violations. |
reportUrl | This is the URL to the Application Composition Report associated with the evaluation that found the listed policy violations. |
openTime | This is the date and time that the violation was first seen. |
waiveTime | This is the date and time when the violation was waived. |
legacyViolationTime | This is the date and time when the violation was assigned as legacy violation. |
fixTime | This is the fix time of the violation. |
threatLevel | This the threat level of the policy that was violated. |
constraintViolations | This is a subcategory for Policy Violations, and includes all information related to specific constraint that was violated. |
constraintId | This is the internal id for the constraint, and is not visible in the IQ Server GUI, or in the associated Application Composition Report. |
constraintName | This is the name of the constraint and is visible in the policy area where the policy was created (i.e either the organization or application). It is also displayed in the Application Composition Report and various tools that connect to the IQ Server. |
reasons | This is a subcategory of Constraint Violations, and gives the reason why the violation occurred. |
reason | The reason is formed by the value(s) for the condition(s) violated. Conditions are visible where the policy was created (i.e either the organization or application). It is also displayed in the Application Composition Report and various tools that connect to the IQ Server. |
component | Component is a subcategory of Policy Violations, and includes information about the component(s) causing the violation to occur. |
hash | Truncated (20 chars) SHA1 hash value of the component used as an internal identifier. |
componentIdentifier | This is simply a container for the component information. It will always include the format and the coordinates. |
format | This is the format the component is in, and will determine what type of coordinate information is displayed. |
coordinates | This will depend on the format. An example would be Maven, which uses a G : A : E : C : V (Group, Artifact Id, Extension, Classifier, and Version) for the component. In this example, the fields provided are: component. |
isWaived | true indicates that the violation is waived. |
isLegacy | true indicates that the violation is a legacy violation. |