Sending a POST Request for Supply Chain Threats
Method
POST
URL
Network Requirements
Make sure that your firewall allows access to the following URL and port for making REST API calls over HTTPS.
Host: https://api.dusti.co/v1/packages
Port: 443
Authentication
Authentication is done using a JWT bearer token. You can obtain the required token from your support agent.
Rate Limit
Maximum 1000 items in a single request
Maximum 100 concurrent requests in a window of one minute
Request Parameters
The POST method must be submitted with an authentication header and with the following body parameters.
Parameter | Mandatory | Type | Enum | Description |
|---|---|---|---|---|
name | yes | string | N/A | The name of the package. TipFor Java packages, the package name is formed by combining the "group Id" and the "artifact Id", see example below. |
type | yes | string |
| The type of package, see enum. |
version | yes | string | N/A | The version of the package. TipYou can submit "latest" for the most recent version. |
Body Parameters Sample
[
{
"name": "package-name-1",
"type": "npm",
"version": "1.0.0"
}
]cURL Sample
TBD
Success Response
The success response returns an array with the following info for each package that you submitted. For packages with no know issues, the Risks section is empty. For packages for which risks were identified, info about the risk is given.
Parameter | Type | Description |
|---|---|---|
name | string | The name of the package. |
type | string | The type of package. See enum in request parameters table. |
version | string | The version of the package. |
risks[] | array | For packages with an identified SCS risk, this field contains details about the risk, as described below. For packages for which no risks have been identified this field is empty. |
risks/id | string | A unique identifier assigned by Checkmarx to this risk. |
risks/title | string | The title of the risk. |
risks/description | string | A detailed description of the risk. |
risks/score | integer | A score indicating the severity of the risk, from 0 (low) to 10 (high). |
Response Example
[
{
"type": "npm",
"name": "zvkenxparfbmksjo",
"version": "0.0.69",
"risks": [
{
"id": "bac4345352aea105a28a87400382a935a4cb8cb1",
"description": "This package executes a crypto mining software\n### About\n\nUsing a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem activity such as newly created files within the lifecycle of the code package.\n\nOnce new files are created, our technology analyzes network and filesystem activity. In case a crypto mining behavior is detected, this risk is shown. \n\n",
"title": "Crypto Miner",
"score": 9
},
{
"id": "ceb79020b4d5f8cfd11bf2f8de9972d867a02127",
"description": "This package was manually inspected by a security researcher and flagged as malicious\n### About\n\nClassifying malicious packages is an internal process, analysis is done at scale automatically via multiple engines. Once there's a risk suspicion, this is forwarded to a security researcher for a manual evaluation.\n\nAttackers take advantage of the excessive trust in the open-source ecosystem and launch software supply chain attacks in the form of code packages. \n\nThe risk of having a package with a malicious payload is high. It's a common behavior for most of the malicious payloads to execute itself automatically upon installing or using the package. \n\n\n\nWhile some dependency vulnerabilities have the privilege to be kept as known issue due to risk-management, same does not apply in the case of a malicious package, and it should be removed with the highest priority.",
"title": "Malicious Package",
"score": 10
}
]
}
]