Stale Waivers REST API - v2

NEW IN RELEASE 84

The Stale Waivers REST API reports waivers that are stale. A waiver is considered to be stale when it is not used in IQ Server. Examples are:

  • A waiver applied in an evaluation and later skipped in another evaluation because the violation it waived does not exist anymore (perhaps due to component upgrade) is a stale waiver
  • A waiver added but not applied because there was no evaluation is a stale waiver (it is not used until there is an evaluation)

A list of stale waivers is useful to identify potential risks in future evaluations because it helps to determine where violations can be unintentionally waived.

All repository reports must be re-evaluated after Nexus IQ Server version 76 in order to include the most accurate policy waiver information used by the new API.

Scope of waivers and user permissions

Only the stale waivers that the specific user has permissions to see will be returned, even though the computation of staleness of a waiver can include applications and/or repositories that the user does not have permissions to see.

For example, when Organization A has Application 1 and Application 2, and a user has permissions to only Application 1, the user will see waivers scoped to Organization A because Application 1 is too under the scope of those waivers, but the user will not see waivers scoped to Application 2 because Application 1 is not under the scope of those waivers. Also, the computation of staleness of a waiver scoped to Organization A will include both Application 1 and Application 2, even if the user has only access to Application 1.

Before performing any actions on stale waivers it is recommended to have complete visibility of what can be affected. This can be achieved by calling the API with sufficient user permissions (preferably an admin user).

Requesting Stale Waivers

An HTTP GET method is used to list the Stale Waivers:

GET /api/v2/reports/waivers/stale

A sample request to list the stale waivers is done by issuing the following curl command:

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/reports/waivers/stale'

Response description

The response is a JSON object with the property "staleWaivers". This property has an array with stale waivers.

Here is a sample response:

{
  "staleWaivers": [
    {
      "waiverId": "943d67ad7b904ea092ce0487a99b358e",
      "policyId": "112b8420643b4219a7775ba5d37889b5",
      "policyName": "Security-Critical",
      "comment": "",
      "scopeOwnerType": "root_organization",
      "scopeOwnerId": "ROOT_ORGANIZATION_ID",
      "scopeOwnerName": "Root Organization",
      "createTime": "2020-01-21T20:56:35.803+0000",
      "constraintFacts": [
        {
          "constraintName": "Critical risk CVSS score",
          "constraintId": "5ec402530f6849dab3066d6a598fd7d2",
          "reasons": [
            {
              "reason": "Found security vulnerability sonatype-2015-0002 with severity >= 9 (severity = 9.0)"
            }
          ]
        }
      ]
    }
  ]
}

Here is a description of the properties of a stale waiver:

ItemDescription
waiverIdID of the stale waiver.
policyIdID of the policy.
policyNameName of the policy.
commentComment of the waiver.
scopeOwnerTypeThe owner type of the policy waiver's scope.
scopeOwnerIdThe owner id of the policy waiver's scope.
scopeOwnerNameThe owner name of the policy waiver's scope.
createTimeTime at which the waiver was created.
constraintFactsConstraint facts that were copied over from policy violation during waiver creation.
A 409 HTTP status code will be returned if waivers are found for repositories that have not been re-evaluated since Nexus IQ Server version 76.