Description: Retrieves Contextual Analysis data for vulnerability
Since: 3.54
Security: Requires a valid user with the "Read" permissions
Usage: GET /xray/api/v1/cve_applicability
Produces: application/json
Query parameters:
Name | Type | Required/Optional | Description |
|---|---|---|---|
| string | required | Component id is the resource id (artifact/build/release-bundle). Component id is not unique, all relevant results returned. If the id is of a build or a release bundle, all artifacts which are direct children of the build/bundle will be considered. Examples:
|
| string | required | Xray id Example: |
| string | optional | Source component id is the SBOM package that the vulnerability originates from. If given, only a result matching that component will be returned. If not given, returned results will contain data for any component in the artifact. Example:
|
| string | optional | If given, will be used to identify the specific artifact that is relevant. Otherwise, going only by component_id can result in aggregation of results from several artifacts. Only relevant for artifacts (not build/release-bundle). Example:
|
| string | optional | If given, will be used to identify the specific artifact that is relevant. Otherwise, going only by component_id can result in aggregation of results from several artifacts. Only relevant for artifacts (not build/bundle). Example:
|
Response body:
Name | Type | Description |
|---|---|---|
| boolean | Indicates if the scanner is available for this vulnerability |
| boolean | Applicability status of the vulnerability |
| integer | Scan status for the vulnerability |
| Array [ItemObj] | Array of results |
ItemObj:
Name | Type | Description |
|---|---|---|
| boolean | Indicates if the scanner is available for this vulnerability. |
| string | sha256 of the artifact. |
| string | Source component ID for the vulnerability. |
| string | CVE ID for the vulnerability. |
| integer | Scan status for the vulnerability. |
| boolean | Applicability status of the vulnerability. |
| string | Explanation from the scanner regarding the vulnerability. |
| string | Additional information about the vulnerability. |
| string | Details of the vulnerability. |
Response codes:
Status code | Description |
|---|---|
200 | OK |
400 | Bad request - Required fields are missing |
403 | Permission denied |
Example request - repository:
Url:
/xray/api/v1/cve_applicability?component_id=docker://xmas:policy&vulnerability_id=XRAY-95701&path=docker-local/app/latest/manifest.json
Example request build:
Url:
/xray/api/v1/cve_applicability?vulnerability_id=XRAY-95701&component_id=build://docker-build:1
Example of successful response:
200 OK
{
"scanner_available": true,
"applicability": true,
"scan_status": 1,
"items": [
{
"scanner_available": true,
"component_id": "596c488dd640ebe772259ecb88b703db768b1aa53cc12396044bf798d526cc92",
"cve_id": "CVE-2020-1747",
"scan_status": 1,
"applicability": true,
"scanner_explanation": "<p>The scanner checks whether any of the following vulnerable functions are called:</p>\n<ul>\n<li><code>yaml.full_load()</code></li>\n<li><code>yaml.load()</code> only unsafe calls (without specifying <code>SafeLoader</code> as the <code>Loader</code>class).</li>\n</ul>",
"details": [
{
"file_path": "/applicable/main.py",
"details": "Evidence: yaml.full_load(f), Line Number: 4, Issue Found: The vulnerable function yaml.full_load/load is called"
},
{
"file_path": "/applicable/main2.py",
"details": "Evidence: yaml.load(f, Loader=yaml.FullLoader), Line Number: 4, Issue Found: The vulnerable function yaml.full_load/load is called"
}
],
"source_comp_id": "pypi://PyYAML:5.2",
"info": "The vulnerable function yaml.full_load/load is called"
}
]
}
Example error response:
400 Bad request
{
"error": "Badly formatted request"
}