Add vulnerability issues into ALM Octane

If you have set up security testing integration with ALM Octane using a static code analysis tool, use this topic to learn how you can inject the security vulnerability issues detected by the tool into ALM Octane using its REST API. Then you can use ALM Octane to track security vulnerabilities.

Flow

To manually inject vulnerabilities discovered by an application security testing tool to the ALM Octane server: 

  1. Authenticate and sign in as a user with the necessary permissions. For details, see Authenticating.

  2. Create a JSON payload for the vulnerabilities.

  3. Push the vulnerabilities using the custom resource vulnerabilities (technical preview) into ALM Octane. For details, see Add vulnerability issues to ALM Octane.

  4. Check the status of the push.

Details of the above steps are described in the following sections.

Back to top

Create the vulnerabilities payload

You can see existing vulnerabilities and their IDs using a GET operation:

GET ../api/shared_spaces/<space_id>/workspaces/<workspace_id>/issues

Follow the same JSON format to prepare your payload. You will use the payload to:

  • Identify the pipeline run entities for which you want to create or update vulnerability issues.

  • Send ALM Octane the vulnerability issues to associate with the pipeline runs.

Back to top

Check results

If successful, return code 200 is returned.

Make sure the vulnerability issues have been pushed correctly into ALM Octane.

  1. Check the response for errors that may have occurred.

    Example: To see the status of vulnerability 1206:

    GET ../api/shared_spaces/<space_id>/workspaces/<workspace_id>/issues/1206

    Response:

    {
    "id": "1206"
    "status": "failed"
    "until": "2016-05-18T05:33:53+0000"
    }

    To see the log of request, use the ID from the response of the POST of the vulnerabilities (see above).

    POST ../api/shared_spaces/<space_id>/workspaces/<workspace_id>/issues/1206/log

    Sample response:

    status: failed
    until: 2016-05-18T08:33:53+0300
    Build reference {server: uuid; build_type: junit-job; build_sid: 1} not resolved
  2. Check if the vulnerabilities exist in ALM Octane. For details, see View security assessment results in the Issues tab.

Back to top

See also: