Vulnerability Details REST API
The Vulnerability Details REST API allows you to retrieve vulnerability details by passing a CVE ID/Sonatype vulnerability identifier or a component identifier. The response will include the root causes of the vulnerability when you pass the component identifier as a parameter in the GET request.
User Permissions Required to Invoke this API call
View IQ Elements
Methods supported:
GET (As an authenticated request)
GET (As an anonymous, non-authenticated request)
GET vulnerability details by passing a CVE or Sonatype vulnerability identifier
Vulnerability details can be retrieved by making an authenticated HTTP GET request:
GET /api/v2/vulnerabilities/{vulnerabilityId}Where {vulnerabilityId}is a CVE or a Sonatype vulnerability identifier.
Example:
curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'
where CVE-2017-5929 is the vulnerabilityId.
Response:
On successful execution, the response JSON returns the vulnerability details corresponding to the vulnerabilityID provided.
{
"identifier": "CVE-2017-5929",
"vulnIds": ["CVE-2017-5929"],
"vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929",
"source": {
"shortName": "CVE",
"longName": "National Vulnerability Database"
},
"mainSeverity": {
"source": "cve_cvss_3",
"score": 9.8,
"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"severityScores": [
{
"source": "cve_cvss_2",
"score": 7.5
},
{
"source": "sonatype_cvss_3",
"score": 9.8
}
],
"weakness": {
"cweSource": "CVE",
"cweIds": [
{
"id": "XXX",
"uri": "https://cwe.mitre.org/data/definitions/XXX.html"
}
]
},
"categories": [
"category1",
"category2"
],
"description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.",
"explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand. When data is received from the `Socket`, to be logged, it is deserialized into Java objects. An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).",
"detectionMarkdown": "Detection instructions will be provided here.",
"recommendationMarkdown": "Recommendations will be provided here",
"advisories": [
{
"referenceType": "PROJECT",
"url": "http://project-url"
}
],
"researchType": "DEEP_DIVE",
"isAdvancedVulnerabilityDetection": false,
"customData": {
"remediation": "Install the latest version of the app",
"cweId": "some-cwe-ids",
"cvssVector": "some/vector",
"cvssSeverity": 7.6
}
}In the JSON response above,
mainSeverityis an official CVE severity for given vulnerability, (if CVE severity score does not exist it represents Sonatype severity provided by Sonatype researchers.)severityScoresare all other known severity scores not mentioned inmainSeverity.vulnerabilityLinkis the link to the official CVE description page.
vulnIdsis an array containing a list of related vulnerability IDs.
customDataretrieves vulnerability attributes that are customized by users, for a given vulnerability, under the requested scope.The JSON response includes the "customData" fieldifcustomized vulnerability attributes are found under the given scope.Refer to customizing vulnerability attributes for more information.
Get vulnerability details by passing a component identifier
Vulnerability details can be retrieved by an authenticated HTTP GET request and passing a component identifier as a query parameter. In addition to the vulnerability details, this GET request will also retrieve the root causes of that vulnerability.
Example:
curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2022-22815?componentIdentifier=%7B%22format%22%3A%22pypi%22%2C%22coordinates%22%3A%7B%22extension%22%3A%22whl%22%2C%22name%22%3A%22Pillow%22%2C%22qualifier%22%3A%22cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64%22%2C%22version%22%3A%228.3.2%22%7D%7D'
Response:
{
"identifier": "CVE-2022-22815",
"vulnIds": [
"CVE-2022-22815"
],
"vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22815",
"source": {
"shortName": "CVE",
"longName": "National Vulnerability Database"
},
"mainSeverity": {
"source": "cve_cvss_3",
"score": 9.8,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"severityScores": [
{
"source": "cve_cvss_2",
"score": 7.5
},
{
"source": "sonatype_cvss_3",
"score": 9.8
}
],
"weakness": {
"cweSource": "CVE",
"cweIds": [
{
"id": "665",
"uri": "https://cwe.mitre.org/data/definitions/665.html"
}
]
},
"categories": [
"data"
],
"description": "path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.",
"explanationMarkdown": "The `Pillow` package is vulnerable due to Improper Initialization. The `alloc_array()` and `path_getbbox()` functions in the `path.c` file do not properly initialize coordinates before using them to construct path objects. A remote attacker can supply specially-crafted input that exploits the aforementioned issue to gain unauthorized access to memory, cause an application crash, or other unexpected behavior.",
"componentExplanationMarkdown": "",
"detectionMarkdown": "The application is vulnerable by using this component.",
"componentDetectionMarkdown": "",
"recommendationMarkdown": "We recommend upgrading to a version of this component that is not vulnerable to this specific issue.\n\nNote: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.",
"componentRecommendationMarkdown": "",
"rootCauses": [
{
"listOfPaths": [
"Pillow-8.3.2.tar.gz",
"Pillow-8.3.2/src/path.c"
],
"versionRange": "[5.0.0 , 9.0.0)"
}
],
"advisories": [
{
"referenceType": "PROJECT",
"url": "https://github.com/python-pillow/Pillow/pull/5920"
},
{
"referenceType": "THIRD_PARTY",
"url": "https://access.redhat.com/security/cve/cve-2022-22815"
}
],
"vulnerableVersionRanges": [
"[8.3.2,9.0.0)"
],
"researchType": "DEEP_DIVE",
"isAdvancedVulnerabilityDetection": false,
"customData": {
"remediation": "some-string",
"cweId": "some-cwe-ids",
"cvssVector": "some/vector",
"cvssSeverity": 7,6
}
}In the above JSON return field vulnerableVersionRanges contains a complete list of component version ranges which are vulnerable. Ranges can be inclusive, denoted via a bracket, ( '[', ']' ) or exclusive, denoted via a parenthesis, ( '(', ')' )
GET vulnerability details using anonymous, non-authenticated requests
The response for anonymous, non-authenticated requests retrieves limited vulnerability details.
Example:
curl 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'
Response:
{
"identifier": "CVE-2017-5929",
"vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929",
"source": {
"shortName": "CVE",
"longName": "National Vulnerability Database"
},
"mainSeverity": {
"source": "cve_cvss_3",
"score": 9.8,
"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"severityScores": [
{
"source": "cve_cvss_2",
"score": 7.5
},
{
"source": "sonatype_cvss_3",
"score": 9.8
}
],
"weakness": null,
"categories": null,
"description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.",
"explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand. When data is received from the `Socket`, to be logged, it is deserialized into Java objects. An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).",
"detectionMarkdown": null,
"recommendationMarkdown": null,
"advisories": null,
"researchType": "DEEP_DIVE",
"isAdvancedVulnerabilityDetection": false
}