The REST API endpoint

XRAY: How to Create a Custom Issue with Xray with Rest API

AuthorFullName__c
Derek Pang
articleNumber
000005309
ft:sourceType
Salesforce
FirstPublishedDate
2022-06-14T12:57:46Z
lastModifiedDate
2022-07-19
VersionNumber
6
The wiki page for this REST API endpoint is located here. I will be going through the components of the json that is sent out to this endpoint.

Here is an example of a curl command utilizing this endpoint. This will be based on the log4j vulnerability, CVE-2021-44228.

curl -u<admin> "<ART_URL>/xray/api/v1/events" -H "Content-Type: application/json" --data '{"id": "Custom-log4j-alert", "type":"Security","provider":"Custom","package_type":"maven","severity":"Critical","cves": [{"cve": "CVE-2021-44228","cvss_v2": "9.3", "cvss_v3": "10"}],"summary":"CVE-2021-44228","description":"sample Custom Issue for CVE-2021-44228","properties":{},"components":[{"id":"org.apache.logging.log4j:log4j-core","vulnerable_versions":["[2.0.0,2.12.1]", "[2.13.0,2.15.0)"],  "fixed_versions": ["[2.12.2]", "[2.15.0]", "[2.3.1]"] }],"sources":[{"source_id":"Custom-issueTest"}]}'


Replace the yellow highlighted text with your instance's information. In this case, the username and the Artifactory URL respectively.

The orange highlighted text is the Custom Issue's id. This is for Xray to uniquely identify the issue.

The blue highlighted sections are what I set the severity, CVE, and cvss scores for this Custom Issue. (I matched the values from https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and set the severity accordingly.)

For the summary and description, I just put the CVE. You may add additional information in these sections if you would like.

For the vulnerable version, this is a compiled list of vulnerable versions that I wish to flag (i.e. "2.0.0 through 2.12.1 and 2.13.0 up to 2.15.0" is what this snippet translates to).

Do note that for this package there are sometimes version names that don’t quite fit neatly into a range. For example, "2.0-beta9" or "2.14.0-rc1". In cases like these, they will have to be explicitly mentioned. I.E. "[2.0-beta9]", "[2.14.0-rc1]"...
For the fixed versions, I have placed the fixed versions mentioned in the CVE.


Here is a sample screenshot of the result of adding this custom issue. This screenshot is from Artifactory version 7.38.10 and Xray 3.50.3.

User-added image