Vulnerability Details REST API - v2

NEW IN RELEASE 75

The Vulnerability Details REST API allows you to

Get vulnerability details

Vulnerability details can be retrieved by making an authenticated HTTP GET request to

GET /api/v2/vulnerabilities/{vulnerabilityId}

Where  {vulnerabilityId} is a CVE or a Sonatype vulnerability identifier.

For example

curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'

returns a JSON of the following shape (the JSON below is just an example and doesn't contain actual  proprietary data):

{
    "identifier": "CVE-2017-5929",
    "vulnIds": ["CVE-2017-5929"],
    "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929",
    "source": {
        "shortName": "CVE",
        "longName": "National Vulnerability Database"
    },
    "mainSeverity": {
        "source": "cve_cvss_3",
        "score": 9.8,
        "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "severityScores": [
        {
            "source": "cve_cvss_2",
            "score": 7.5
        },
        {
            "source": "sonatype_cvss_3",
            "score": 9.8
        }
    ],
    "weakness": {
        "cweSource": "CVE",
        "cweIds": [
            {
                "id": "XXX",
                "uri": "https://cwe.mitre.org/data/definitions/XXX.html"
            }
        ]
    },
    "categories": [
        "category1",
		"category2"
    ],
    "description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.",
    "explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand.  When data is received from the `Socket`, to be logged, it is deserialized into Java objects.  An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).",
    "detectionMarkdown": "Detection instructions will be provided here.",
    "recommendationMarkdown": "Recommendations will be provided here",
    "advisories": [
        {
            "referenceType": "PROJECT",
            "url": "http://project-url"
        }
    ]
}

In the JSON above

  • mainSeverity is an official CVE severity for given vulnerability, unless CVE severity score is not provided, in which case we use Sonatype severity provided by Sonatype researchers.
  • severityScores are all the other known severity scores not mentioned in mainSeverity


vulnerabilityLink is provided only for CVE vulnerabilities

NEW IN RELEASE 134

vulnIds field is provided since release 134, an array that contains a list of vulnerabilities ids related

Get vulnerability details using component identifier parameter

Vulnerability details can be retrieved also by making an authenticated HTTP GET request and using a component identifier as a query parameter, if a component identifier is used to retrieve the data, the root causes of that vulnerability are retrieved as well

For example

curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2022-22815?componentIdentifier=%7B%22format%22%3A%22pypi%22%2C%22coordinates%22%3A%7B%22extension%22%3A%22whl%22%2C%22name%22%3A%22Pillow%22%2C%22qualifier%22%3A%22cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64%22%2C%22version%22%3A%228.3.2%22%7D%7D'

returns

{
    "identifier": "CVE-2022-22815",
    "vulnIds": [
        "CVE-2022-22815"
    ],
    "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22815",
    "source": {
        "shortName": "CVE",
        "longName": "National Vulnerability Database"
    },
    "mainSeverity": {
        "source": "cve_cvss_3",
        "score": 9.8,
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "severityScores": [
        {
            "source": "cve_cvss_2",
            "score": 7.5
        },
        {
            "source": "sonatype_cvss_3",
            "score": 9.8
        }
    ],
    "weakness": {
        "cweSource": "CVE",
        "cweIds": [
            {
                "id": "665",
                "uri": "https://cwe.mitre.org/data/definitions/665.html"
            }
        ]
    },
    "categories": [
        "data"
    ],
    "description": "path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.",
    "explanationMarkdown": "The `Pillow` package is vulnerable due to Improper Initialization. The `alloc_array()` and `path_getbbox()` functions in the `path.c` file do not properly initialize coordinates before using them to construct path objects. A remote attacker can supply specially-crafted input that exploits the aforementioned issue to gain unauthorized access to memory, cause an application crash, or other unexpected behavior.",
    "componentExplanationMarkdown": "",
    "detectionMarkdown": "The application is vulnerable by using this component.",
    "componentDetectionMarkdown": "",
    "recommendationMarkdown": "We recommend upgrading to a version of this component that is not vulnerable to this specific issue.\n\nNote: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.",
    "componentRecommendationMarkdown": "",
    "rootCauses": [
        {
            "listOfPaths": [
                "Pillow-8.3.2.tar.gz",
                "Pillow-8.3.2/src/path.c"
            ],
            "versionRange": "[5.0.0 , 9.0.0)"
        }
    ],
    "advisories": [
        {
            "referenceType": "PROJECT",
            "url": "https://github.com/python-pillow/Pillow/pull/5920"
        },
        {
            "referenceType": "THIRD_PARTY",
            "url": "https://access.redhat.com/security/cve/cve-2022-22815"
        }
    ]
}

Get limited vulnerability details using anonymous requests

Non-authenticated requests to the same URL will result in limited vulnerability details.

For example

curl 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'

returns

{
    "identifier": "CVE-2017-5929",
    "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929",
    "source": {
        "shortName": "CVE",
        "longName": "National Vulnerability Database"
    },
    "mainSeverity": {
        "source": "cve_cvss_3",
        "score": 9.8,
        "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "severityScores": [
        {
            "source": "cve_cvss_2",
            "score": 7.5
        },
        {
            "source": "sonatype_cvss_3",
            "score": 9.8
        }
    ],
    "weakness": null,
    "categories": null,
    "description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.",
    "explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand.  When data is received from the `Socket`, to be logged, it is deserialized into Java objects.  An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).",
    "detectionMarkdown": null,
    "recommendationMarkdown": null,
    "advisories": null
}