Skip to main content

Sending a POST Request for Supply Chain Threats

Method

POST

URL

https://api.dusti.co/v1/packages

Network Requirements

Make sure that your firewall allows access to the following URL and port for making REST API calls over HTTPS.

  • Host: https://api.dusti.co/v1/packages

  • Port: 443

Authentication

Authentication is done using an access token. You can obtain the required token from your support agent.

Rate Limit

  • Maximum 1000 items in a single request

  • Maximum 100 concurrent requests in a window of one minute

Request Parameters

The POST method must be submitted with an authentication header and with the following body parameters.

Parameter

Mandatory

Type

Enum

Description

name

yes

string

N/A

The name of the package.

Tip

For Java packages, the package name is formed by combining the "group Id" and the "artifact Id", see example below.

type

yes

string

  • rubygems

  • mvn

  • npm

  • pypi

  • pub

  • go

  • packagist

  • nuget

  • swift

The type of package, see enum.

version

yes

string

N/A

The version of the package.

Tip

You can submit "latest" for the most recent version.

Body Parameters Sample

[
  {
    "name": "package-name-1",
    "type": "npm",
    "version": "1.0.0"
  }
]

cURL Sample

curl --location 'https://api.dusti.co/v1/packages' \--header 'Authorization: token <Your_Token> \--header 'Content-Type: text/plain' \--data '[{"name": "ambar","type": "npm","version": "11.1.0"}]'TBD

Success Response

The success response returns an array with the following info for each package that you submitted. For packages with no know issues, the Risks section is empty. For packages for which risks were identified, info about the risk is given.

Parameter

Type

Description

name

string

The name of the package.

type

string

The type of package. See enum in request parameters table.

version

string

The version of the package.

risks[]

array

For packages with an identified SCS risk, this field contains details about the risk, as described below. For packages for which no risks have been identified this field is empty.

risks/id

string

A unique identifier assigned by Checkmarx to this risk.

risks/title

string

The title of the risk.

risks/description

string

A detailed description of the risk.

risks/score

integer

A score indicating the severity of the risk, from 0 (low) to 10 (high).

Response Example

[
    {
        "type": "npm",
        "name": "zvkenxparfbmksjo",
        "version": "0.0.69",
        "risks": [
            {
                "id": "bac4345352aea105a28a87400382a935a4cb8cb1",
                "description": "This package executes a crypto mining software\n### About\n\nUsing a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem activity such as newly created files within the lifecycle of the code package.\n\nOnce new files are created, our technology analyzes network and filesystem activity. In case a crypto mining behavior is detected, this risk is shown. \n\n![infographic](https://checkmarx-scs-cdn.s3.amazonaws.com/sca/infographics/crypto-miner.png)",
                "title": "Crypto Miner",
                "score": 9
            },
            {
                "id": "ceb79020b4d5f8cfd11bf2f8de9972d867a02127",
                "description": "This package was manually inspected by a security researcher and flagged as malicious\n### About\n\nClassifying malicious packages is an internal process, analysis is done at scale automatically via multiple engines. Once there's a risk suspicion, this is forwarded to a security researcher for a manual evaluation.\n\nAttackers take advantage of the excessive trust in the open-source ecosystem and launch software supply chain attacks in the form of code packages.   \n\nThe risk of having a package with a malicious payload is high. It's a common behavior for most of the malicious payloads to execute itself automatically upon installing or using the package. \n\n![infographic](https://checkmarx-scs-cdn.s3.amazonaws.com/sca/infographics/malicious-package.png)\n\nWhile some dependency vulnerabilities have the privilege to be kept as known issue due to risk-management, same does not apply in the case of a malicious package, and it should be removed with the highest priority.",
                "title": "Malicious Package",
                "score": 10
            }
        ]
    }
]