Skip to main content

Findings REST API examples

These examples demonstrate how to perform several functions with the Findings API.

Each example request requires the GUID of a target Veracode application. You can use the Applications API to get the GUID for an application.

You can combine queries in your requests using &. For example:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?cwe=80&scan_type=STATIC"

Get findings by CWE ID

To identify each finding of a specific CWE in an application, send the following request:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?cwe=80"

Get findings by scan type

To identify each finding of a specific scan type in an application, send the following request:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?scan_type=STATIC"

The valid scan_type values are STATIC, DYNAMIC, MANUAL, and SCA. If you do not include SCA, the Findings API excludes Software Composition Analysis findings.

Get findings for a sandbox

To identify each finding for a specific sandbox in an application, send the following request:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?context={sandbox_guid}"

The {sandbox_guid} parameter refers to non-policy sandboxes only. If you do not pass {sandbox_guid}, the API returns the latest policy scan findings.

Get findings by severity

To identify each finding of a specific severity in an application, send the following request:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?severity=3"

The valid severity values are the numbers 05.

Get findings of a specific severity or higher

To identify each finding higher than or equal to a specific severity in an application, send the following request:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?severity_gte=3"

The valid severity_gte values are the numbers 05.

Get findings and include annotations

To identify each finding in an application and return the annotations, including mitigation details and comments, send the following request:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?include_annot=TRUE"

This request adds an annotations node containing the annotation information to the response.

Findings with annotations in TSRV format

For findings with mitigation proposals in TSRV format, the returned output appears as:

\rTechnique : M1 : Establish and maintain control over all of your inputs.\r\nSpecifics : We are using an encoder for our input.\r\nRemaining Risk : None.\r\nVerification : We must decline, for secret reasons.

Each component is separated by a carriage return and the line feed \r\n. Processing the comment and separating at the \r\n provides these items:

  • Technique : M1 : Establish and maintain control over all of your inputs
  • Specifics : We are using an encoder for our input.
  • Remaining Risk : None.
  • Verification : We must decline, for secret reasons.
note

These comments are only examples. Veracode does not recommend offering any of these comments in your mitigations.

Get findings that violate policy

To identify each finding in an application that does not pass policy, send the following request:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?violates_policy=TRUE"

Get findings by category

To identify each finding of a specific category in an application, send the following request:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?finding_category=20"

Use the numeric ID value for finding_category, as shown in the API output results as finding..finding_category.id.

Get new findings from latest scan

To identify each new finding in the most recent scan of an application, send the following request:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?new=true"

Get SCA findings of a severity higher than the allowed CVSS score

To identify each Software Composition Analysis (SCA) finding in an application with a severity higher than the CVSS score allowed in the policy, send the following request:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?scan_type=SCA&cvss_gte=6"

Get MPT findings of a severity higher than the allowed CVSS score

To identify each Manual Penetration Testing (MPT) finding in an application with a severity higher than the CVSS score allowed in the policy, send the following request:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?scan_type=MANUAL&cvss_gte=6"

You can use the Applications API to get the GUID for an application. You can use the Findings API to get the issue ID for a finding.

Get details about a Dynamic Analysis vulnerability

Send the following request to view details for a specific dynamic finding:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings/{issue_id}/dynamic_flaw_info"

You can use the Findings API to get the issue ID for a finding.

This endpoint uses the Dynamic Flaw API specification.

Get details about a Static Analysis flaw

This endpoint uses the Static Finding Data Path API specification.

Send the following request to view the data paths for a static finding:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings/{finding_id}/static_flaw_info"

Send the following request to view the data paths for a static finding from a sandbox scan:

http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings/{issue_id}/static_flaw_info?context={sandbox_guid}

You can use the Applications API to get the GUID for an application or development sandbox. You can use the Findings API to get the issue ID for a finding.