Base Vulnerability Data/Response

JSON

{
     "id": String, // Identifier
     "source": String, // Source from which vulnerability was reported
     "sourceId": String, // Pentest identifier or Scan
     "type": String, // Vulnerability type. Eg. Injection, Broken Access Control, etc.
     "status": VULNERABILITY_STATUS, // Current vulnerability status
     "severity": VULNERABILITY_SEVERITY, // Directly related to the inputs of the cvss calculator
     "url": String, 
     "title": String, // Vulnerability name
     "createdAt": String, // Date of vulnerability 
     "detail": {
          "description": String, // Vulnerability explanation
          "impact": Integer, // These attributes are deprecated, now this information is included in the cvss calculator
          "likelyhood": Integer, // These attributes are deprecated, now this information is included in the cvss calculator
          "proofOfConcept": String, // Steps to find the vulnerability
          "criticalityDescription": String, // More information on the reason for severity or criticality
          "suggestedFix": String, // Suggested solution to resolve the vulnerability
          "httpRequest": String, // Request made when vulnerability was found
          "httpResponse": String // Response when a vulnerability was found
      },
     "cvssCalculator": { // Result of the cvss calculator v3.1
          "score": Float,
          "vector": String,
          "attackVector": ATTACK_VECTOR,
          "attackComplexity": ATTACK_COMPLEXITY,
          "privilegesRequired": PRIVILAGES_REQUIRED,
          "userInteraction": USER_INTERACTION,
          "scope": SCOPE,
          "confidentiality": CONFIDENTIALITY,
          "integrity": INTEGRITY,
          "availability": AVAILABILITY
     },
     "cweId": Integer, // CWE global identifier
     "cwe": String, // CWE global name
     "strikerUsername": String // Striker's username who reported the vulnerability
 }

Note: impact and likelihood are not necessary anymore because the severity calculator provides this information. These attributes will be included in the response for vulnerabilities reported before the severity calculator.

References

Vulnerability

VULNERABILITY_SOURCE
PENTEST, AUTOMATED_SCAN

VULNERABILITY_STATUS
PENDING_FIX, IN_PROGRESS, READY_FOR_RETEST, SOLVED, ACCEPTED_RISK, FALSE_POSITIVE

VULNERABILITY_SEVERITY
INFORMATION, LOW, MEDIUM, HIGH, CRITICAL

Cvss Calculator

ATTACK_VECTOR
NETWORK, ADJACENT, LOCAL, PHYSICAL

ATTACK_COMPLEXITY
LOW, HIGH

PRIVILAGES_REQUIRED
NONE, LOW, HIGH

USER_INTERACTION
NONE, REQUIRED

SCOPE
UNCHANGED, CHANGED

CONFIDENTIALITY
NONE, LOW, HIGH

INTEGRITY
NONE, LOW, HIGH

AVAILABILITY
NONE, LOW, HIGH

Considerations

  • Some vulnerability attributes can be null.

    • strikerUsername (in case the source is AUTOMATED_SCAN)
    • httpRequest
    • httpResponse

    Furthermore, null attributes aren't included in the response.

  • The attributes like description, criticalityDescription, proofOfConcept, suggestedFix, httpRequest, and httpResponse are in HTML format.