Skip to main content

XML API tutorial: How to use the Mitigation API

This tutorial steps you through using the Mitigation and Comments API. This guide uses standalone HTTP request calls, but you can combine them in an API wrapper to process multiple API calls.

Before you begin:

Before you can access and use the APIs, your Veracode user account must have the required permissions.

To complete this task:

  1. To mark a flaw in scan results as a false positive, send the following request:

    http --auth-type=veracode_hmac "" "build_id==<your build ID>" "action==fp" "comment==<your comment text>" "flaw_id_list==<your flaw IDs>

    Where required, enter the build ID, which you can get from the buildlist.xml returned by the call. Also, enter a comma-separated list of flaw IDs, which you find in the Triage Flaws page for that application in the Veracode Platform. You can also find the flaw IDs in the file detailedreport.xml.

  2. To retrieve a list of builds for your selected application, send the following request:

    http --auth-type=veracode_hmac "" "app_id==<your application ID>"

    Replace your application ID with the ID returned from applist.xml in the previous step. The returned buildlist.xml from this step contains the IDs of the builds for the application, such as:

    <build build_id="49894" version="5.0"/>
  3. To accept a flaw in scan results, send the following request:

    http --auth-type=veracode_hmac "" "build_id==<your build id>" "action==accepted" "comment==<your comment text>" "flaw_id_list==<your flaw IDs>"

    Where required, enter the build ID and a comma-separated list of flaw IDs.