JSON
{
"id": String, // Identifier
"source": String, // Source from which vulnerability was reported
"sourceId": String, // Pentest identifier or Scan
"type": String, // Vulnerability type. Eg. Injection, Broken Access Control, etc.
"status": VULNERABILITY_STATUS, // Current vulnerability status
"severity": VULNERABILITY_SEVERITY, // Directly related to the inputs of the cvss calculator
"url": String,
"title": String, // Vulnerability name
"createdAt": String, // Date of vulnerability
"detail": {
"description": String, // Vulnerability explanation
"impact": Integer, // These attributes are deprecated, now this information is included in the cvss calculator
"likelyhood": Integer, // These attributes are deprecated, now this information is included in the cvss calculator
"proofOfConcept": String, // Steps to find the vulnerability
"criticalityDescription": String, // More information on the reason for severity or criticality
"suggestedFix": String, // Suggested solution to resolve the vulnerability
"httpRequest": String, // Request made when vulnerability was found
"httpResponse": String // Response when a vulnerability was found
},
"cvssCalculator": { // Result of the cvss calculator v3.1
"score": Float,
"vector": String,
"attackVector": ATTACK_VECTOR,
"attackComplexity": ATTACK_COMPLEXITY,
"privilegesRequired": PRIVILAGES_REQUIRED,
"userInteraction": USER_INTERACTION,
"scope": SCOPE,
"confidentiality": CONFIDENTIALITY,
"integrity": INTEGRITY,
"availability": AVAILABILITY
},
"cweId": Integer, // CWE global identifier
"cwe": String, // CWE global name
"strikerUsername": String, // Striker's username who reported the vulnerability
"comments": { // Comments from strikers and customers
"message": String,
"userType": String, // client or striker
"userId": String,
"photoUrl": String,
"username": String,
"createdAt": String
},
"files": { // Files the striker attached when he reported
"name": String, // File name with extension. Eg. example.jpeg
"url": String // temporary url to download
}
}
Note: impact
and likelihood
are not necessary anymore because the severity calculator provides this information. These attributes will be included in the response for vulnerabilities reported before the severity calculator.
References
Vulnerability
VULNERABILITY_SOURCE
PENTEST, AUTOMATED_SCAN
VULNERABILITY_STATUS
PENDING_FIX, IN_PROGRESS, READY_FOR_RETEST, SOLVED, ACCEPTED_RISK, FALSE_POSITIVE
VULNERABILITY_SEVERITY
INFORMATION, LOW, MEDIUM, HIGH, CRITICAL
Cvss Calculator
ATTACK_VECTOR
NETWORK, ADJACENT, LOCAL, PHYSICAL
ATTACK_COMPLEXITY
LOW, HIGH
PRIVILAGES_REQUIRED
NONE, LOW, HIGH
USER_INTERACTION
NONE, REQUIRED
SCOPE
UNCHANGED, CHANGED
CONFIDENTIALITY
NONE, LOW, HIGH
INTEGRITY
NONE, LOW, HIGH
AVAILABILITY
NONE, LOW, HIGH
Considerations
-
Some vulnerability attributes can be null.
strikerUsername
(in case thesource
isAUTOMATED_SCAN
)httpRequest
httpResponse
Furthermore, null attributes aren't included in the response.
-
The attributes like
description
,criticalityDescription
,proofOfConcept
,suggestedFix
,httpRequest
, andhttpResponse
are in HTML format.