Vulnerability Details REST API - v2

The Vulnerability Details REST API allows you to:

Get vulnerability details

Vulnerability details can be retrieved by making an authenticated HTTP GET request:

GET /api/v2/vulnerabilities/{vulnerabilityId}

Where  {vulnerabilityId} is a CVE or a Sonatype vulnerability identifier.

For example:

curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'

returns a JSON of the following shape (the JSON below is an example and does not contain proprietary data):

{
    "identifier": "CVE-2017-5929",
    "vulnIds": ["CVE-2017-5929"],
    "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929",
    "source": {
        "shortName": "CVE",
        "longName": "National Vulnerability Database"
    },
    "mainSeverity": {
        "source": "cve_cvss_3",
        "score": 9.8,
        "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "severityScores": [
        {
            "source": "cve_cvss_2",
            "score": 7.5
        },
        {
            "source": "sonatype_cvss_3",
            "score": 9.8
        }
    ],
    "weakness": {
        "cweSource": "CVE",
        "cweIds": [
            {
                "id": "XXX",
                "uri": "https://cwe.mitre.org/data/definitions/XXX.html"
            }
        ]
    },
    "categories": [
        "category1",
		"category2"
    ],
    "description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.",
    "explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand.  When data is received from the `Socket`, to be logged, it is deserialized into Java objects.  An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).",
    "detectionMarkdown": "Detection instructions will be provided here.",
    "recommendationMarkdown": "Recommendations will be provided here",
    "advisories": [
        {
            "referenceType": "PROJECT",
            "url": "http://project-url"
        }
    ]
}

In the JSON above

  • mainSeverity is an official CVE severity for given vulnerability, (if CVE severity score does not exist it represents Sonatype severity provided by Sonatype researchers.)
  • severityScores are all other known severity scores not mentioned in mainSeverity.
  • vulnerabilityLink   is the link to the official CVE description page.
NEW IN RELEASE 134
  • vulnIds  is an array containing a list of related vulnerability IDs.

Get vulnerability details using component identifier parameter

Vulnerability details can be also be retrieved by an authenticated HTTP GET request and passing a component identifier as a query parameter. In addition to the vulnerability details, this GET request will also retrieve the root causes of that vulnerability.

For example:

curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2022-22815?componentIdentifier=%7B%22format%22%3A%22pypi%22%2C%22coordinates%22%3A%7B%22extension%22%3A%22whl%22%2C%22name%22%3A%22Pillow%22%2C%22qualifier%22%3A%22cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64%22%2C%22version%22%3A%228.3.2%22%7D%7D'

returns

{
    "identifier": "CVE-2022-22815",
    "vulnIds": [
        "CVE-2022-22815"
    ],
    "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22815",
    "source": {
        "shortName": "CVE",
        "longName": "National Vulnerability Database"
    },
    "mainSeverity": {
        "source": "cve_cvss_3",
        "score": 9.8,
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "severityScores": [
        {
            "source": "cve_cvss_2",
            "score": 7.5
        },
        {
            "source": "sonatype_cvss_3",
            "score": 9.8
        }
    ],
    "weakness": {
        "cweSource": "CVE",
        "cweIds": [
            {
                "id": "665",
                "uri": "https://cwe.mitre.org/data/definitions/665.html"
            }
        ]
    },
    "categories": [
        "data"
    ],
    "description": "path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.",
    "explanationMarkdown": "The `Pillow` package is vulnerable due to Improper Initialization. The `alloc_array()` and `path_getbbox()` functions in the `path.c` file do not properly initialize coordinates before using them to construct path objects. A remote attacker can supply specially-crafted input that exploits the aforementioned issue to gain unauthorized access to memory, cause an application crash, or other unexpected behavior.",
    "componentExplanationMarkdown": "",
    "detectionMarkdown": "The application is vulnerable by using this component.",
    "componentDetectionMarkdown": "",
    "recommendationMarkdown": "We recommend upgrading to a version of this component that is not vulnerable to this specific issue.\n\nNote: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.",
    "componentRecommendationMarkdown": "",
    "rootCauses": [
        {
            "listOfPaths": [
                "Pillow-8.3.2.tar.gz",
                "Pillow-8.3.2/src/path.c"
            ],
            "versionRange": "[5.0.0 , 9.0.0)"
        }
    ],
    "advisories": [
        {
            "referenceType": "PROJECT",
            "url": "https://github.com/python-pillow/Pillow/pull/5920"
        },
        {
            "referenceType": "THIRD_PARTY",
            "url": "https://access.redhat.com/security/cve/cve-2022-22815"
        }
    ],
    "vulnerableVersionRanges": [
        "[8.3.2,9.0.0)"
    ]
}


NEW IN RELEASE 140

A new JSON return field vulnerableVersionRanges has been added for GET requests that include a component identifier as a query parameter. This field will return a complete list of component version ranges which are vulnerable. Ranges can be inclusive, denoted via a bracket, ( '[', ']' ) or exclusive, denoted via a parenthesis, ( '(', ')' )

Get vulnerability details using anonymous requests

Anonymous, non-authenticated requests can be made to the same URL, but will result in limited vulnerability details.

For example:

curl 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'

returns

{
    "identifier": "CVE-2017-5929",
    "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929",
    "source": {
        "shortName": "CVE",
        "longName": "National Vulnerability Database"
    },
    "mainSeverity": {
        "source": "cve_cvss_3",
        "score": 9.8,
        "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "severityScores": [
        {
            "source": "cve_cvss_2",
            "score": 7.5
        },
        {
            "source": "sonatype_cvss_3",
            "score": 9.8
        }
    ],
    "weakness": null,
    "categories": null,
    "description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.",
    "explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand.  When data is received from the `Socket`, to be logged, it is deserialized into Java objects.  An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).",
    "detectionMarkdown": null,
    "recommendationMarkdown": null,
    "advisories": null
}