Vulnerability Details REST API - v2
The Vulnerability Details REST API allows you to
Get vulnerability details
Vulnerability details can be retrieved by making an authenticated HTTP GET request to
GET /api/v2/vulnerabilities/{vulnerabilityId}
Where
{vulnerabilityId}
is a CVE or a Sonatype vulnerability identifier.
For example
curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'
returns a JSON of the following shape (the JSON below is just an example and doesn't contain actual proprietary data):
{ "identifier": "CVE-2017-5929", "vulnIds": ["CVE-2017-5929"], "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929", "source": { "shortName": "CVE", "longName": "National Vulnerability Database" }, "mainSeverity": { "source": "cve_cvss_3", "score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "severityScores": [ { "source": "cve_cvss_2", "score": 7.5 }, { "source": "sonatype_cvss_3", "score": 9.8 } ], "weakness": { "cweSource": "CVE", "cweIds": [ { "id": "XXX", "uri": "https://cwe.mitre.org/data/definitions/XXX.html" } ] }, "categories": [ "category1", "category2" ], "description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.", "explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand. When data is received from the `Socket`, to be logged, it is deserialized into Java objects. An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).", "detectionMarkdown": "Detection instructions will be provided here.", "recommendationMarkdown": "Recommendations will be provided here", "advisories": [ { "referenceType": "PROJECT", "url": "http://project-url" } ] }
In the JSON above
mainSeverity
is an official CVE severity for given vulnerability, unless CVE severity score is not provided, in which case we use Sonatype severity provided by Sonatype researchers.severityScores
are all the other known severity scores not mentioned inmainSeverity
vulnerabilityLink
is provided only for CVE vulnerabilities
vulnIds
field is provided since release 134, an array that contains a list of vulnerabilities ids related
Get vulnerability details using component identifier parameter
Vulnerability details can be retrieved also by making an authenticated HTTP GET request and using a component identifier as a query parameter, if a component identifier is used to retrieve the data, the root causes of that vulnerability are retrieved as well
For example
curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2022-22815?componentIdentifier=%7B%22format%22%3A%22pypi%22%2C%22coordinates%22%3A%7B%22extension%22%3A%22whl%22%2C%22name%22%3A%22Pillow%22%2C%22qualifier%22%3A%22cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64%22%2C%22version%22%3A%228.3.2%22%7D%7D'
returns
{ "identifier": "CVE-2022-22815", "vulnIds": [ "CVE-2022-22815" ], "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22815", "source": { "shortName": "CVE", "longName": "National Vulnerability Database" }, "mainSeverity": { "source": "cve_cvss_3", "score": 9.8, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "severityScores": [ { "source": "cve_cvss_2", "score": 7.5 }, { "source": "sonatype_cvss_3", "score": 9.8 } ], "weakness": { "cweSource": "CVE", "cweIds": [ { "id": "665", "uri": "https://cwe.mitre.org/data/definitions/665.html" } ] }, "categories": [ "data" ], "description": "path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.", "explanationMarkdown": "The `Pillow` package is vulnerable due to Improper Initialization. The `alloc_array()` and `path_getbbox()` functions in the `path.c` file do not properly initialize coordinates before using them to construct path objects. A remote attacker can supply specially-crafted input that exploits the aforementioned issue to gain unauthorized access to memory, cause an application crash, or other unexpected behavior.", "componentExplanationMarkdown": "", "detectionMarkdown": "The application is vulnerable by using this component.", "componentDetectionMarkdown": "", "recommendationMarkdown": "We recommend upgrading to a version of this component that is not vulnerable to this specific issue.\n\nNote: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.", "componentRecommendationMarkdown": "", "rootCauses": [ { "listOfPaths": [ "Pillow-8.3.2.tar.gz", "Pillow-8.3.2/src/path.c" ], "versionRange": "[5.0.0 , 9.0.0)" } ], "advisories": [ { "referenceType": "PROJECT", "url": "https://github.com/python-pillow/Pillow/pull/5920" }, { "referenceType": "THIRD_PARTY", "url": "https://access.redhat.com/security/cve/cve-2022-22815" } ] }
Get limited vulnerability details using anonymous requests
Non-authenticated requests to the same URL will result in limited vulnerability details.
For example
curl 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'
returns
{ "identifier": "CVE-2017-5929", "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929", "source": { "shortName": "CVE", "longName": "National Vulnerability Database" }, "mainSeverity": { "source": "cve_cvss_3", "score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "severityScores": [ { "source": "cve_cvss_2", "score": 7.5 }, { "source": "sonatype_cvss_3", "score": 9.8 } ], "weakness": null, "categories": null, "description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.", "explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand. When data is received from the `Socket`, to be logged, it is deserialized into Java objects. An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).", "detectionMarkdown": null, "recommendationMarkdown": null, "advisories": null }