Add vulnerability issues

If you have set up security testing integration with a static code analysis tool, you can inject the security vulnerability issues detected by the tool using the REST API. This helps you track security vulnerabilities.

Flow

You can manually inject vulnerabilities discovered by an application security testing tool.

To manually inject vulnerabilities:

  1. Authenticate and sign in as a user with the necessary permissions. For details, see Authentication.

  2. Create a JSON payload for the vulnerabilities.

  3. Push the vulnerabilities using the custom resource vulnerabilities (technical preview) into OpenText Core Software Delivery Platform. For details, see Add vulnerability issues.

  4. Check the status of the push.

Details of the above steps are described in the following sections.

Back to top

Create the vulnerabilities payload

You can see existing vulnerabilities and their IDs using a GET operation:

GET ../api/shared_spaces/<space_id>/workspaces/<workspace_id>/issues

Follow the same JSON format to prepare your payload. Use the payload to:

  • Identify the pipeline run entities for which you want to create or update vulnerability issues.

  • Send OpenText Core Software Delivery Platform the vulnerability issues to associate with the pipeline runs.

Back to top

Check results

If successful, return code 200 is returned.

Make sure the vulnerability issues have been pushed correctly into OpenText Core Software Delivery Platform.

  1. Check the response for errors that may have occurred.

    Example: To see the status of vulnerability 1206:

    GET ../api/shared_spaces/<space_id>/workspaces/<workspace_id>/issues/1206

    Response:

    {
    "id": "1206"
    "status": "failed"
    "until": "2016-05-18T05:33:53+0000"
    }

    To see the log of request, use the ID from the response of the POST of the vulnerabilities (see above).

    POST ../api/shared_spaces/<space_id>/workspaces/<workspace_id>/issues/1206/log

    Sample response:

    status: failed
    until: 2016-05-18T08:33:53+0300
    Build reference {server: uuid; build_type: junit-job; build_sid: 1} not resolved
  2. Check if the vulnerabilities exist in OpenText Core Software Delivery Platform. For details, see View security assessment results.

Back to top

See also: