Vulnerability Details REST API - v2

NEW IN RELEASE 75

The Vulnerability Details REST API allows you to

Get vulnerability details

Vulnerability details can be retrieved by making an authenticated HTTP GET request to

GET /api/v2/vulnerabilities/{vulnerabilityId}

Where  {vulnerabilityId} is a CVE or a Sonatype vulnerability identifier.

For example

curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'

returns a JSON of the following shape (the JSON below is just an example and doesn't contain actual  proprietary data):

{
    "identifier": "CVE-2017-5929",
    "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929",
    "source": {
        "shortName": "CVE",
        "longName": "National Vulnerability Database"
    },
    "mainSeverity": {
        "source": "cve_cvss_3",
        "score": 9.8,
        "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "severityScores": [
        {
            "source": "cve_cvss_2",
            "score": 7.5
        },
        {
            "source": "sonatype_cvss_3",
            "score": 9.8
        }
    ],
    "weakness": {
        "cweSource": "CVE",
        "cweIds": [
            {
                "id": "XXX",
                "uri": "https://cwe.mitre.org/data/definitions/XXX.html"
            }
        ]
    },
    "categories": [
        "category1",
		"category2"
    ],
    "description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.",
    "explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand.  When data is received from the `Socket`, to be logged, it is deserialized into Java objects.  An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).",
    "detectionMarkdown": "Detection instructions will be provided here.",
    "recommendationMarkdown": "Recommendations will be provided here",
    "advisories": [
        {
            "referenceType": "PROJECT",
            "url": "http://project-url"
        }
    ]
}

In the JSON above

  • mainSeverity is an official CVE severity for given vulnerability, unless CVE severity score is not provided, in which case we use Sonatype severity provided by Sonatype researchers.
  • severityScores are all the other known severity scores not mentioned in mainSeverity


vulnerabilityLink is provided only for CVE vulnerabilities

Get limited vulnerability details using anonymous requests

Non-authenticated requests to the same URL will result in limited vulnerability details.

For example

curl 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'

returns

{
    "identifier": "CVE-2017-5929", 
    "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929",
    "source": {
        "shortName": "CVE",
        "longName": "National Vulnerability Database"
    },
    "mainSeverity": {
        "source": "cve_cvss_3",
        "score": 9.8,
        "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "severityScores": [
        {
            "source": "cve_cvss_2",
            "score": 7.5
        },
        {
            "source": "sonatype_cvss_3",
            "score": 9.8
        }
    ],
    "weakness": null,
    "categories": null,
    "description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.",
    "explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand.  When data is received from the `Socket`, to be logged, it is deserialized into Java objects.  An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).",
    "detectionMarkdown": null,
    "recommendationMarkdown": null,
    "advisories": null
}