Skip to main content

SAST Results Predicates API

Notice

A comprehensive Checkmarx One API Reference Guide is now available here.

Recurrent Vulnerabilities

Checkmarx One tracks vulnerabilities throughout your SDLC by assigning a similarity_id to each vulnerability instance in your scan. This enables Checkmarx One to track that particular instance in future scans. This means that after the initial scan of a Project, if the identical vulnerability is detected in subsequent scans it is automatically marked as a Recurrent vulnerability.

Notice

A Recurrent vulnerability is defined as a vulnerability with the identical Source Node and Sink Node as well as the identical Attack Vector elements. If even minor changes were introduced to any of these elements (even though the nature of the threat is the same), the similarity_id will be different, causing the vulnerability to be identified as a New vulnerability.

Each vulnerability has a “Predicate” associated with it, which is comprised of the following attributes: state, severity and comments. After reviewing the results of a scan, you have the ability to triage the results by changing these predicates. If a subsequent scan discovers a vulnerability with the identical similarity_id, its status will be marked as a “recurrent” vulnerability, and the state, severity and comments from the previous scan will be applied to the new scan. Each time that you modify the state, severity or comments associated with a vulnerability’s similarity_id, a new predicate is created, with an associated unique predicate id. For more information about triaging results, see Managing (Triaging) Vulnerabilities .

Results Predicates Endpoints

The URL for Results Predicates endpoints is <base_url>/api/sast-results-predicates

Swagger

To view these APIs in the Swagger UI and run sample API calls, go to <base_url>/spec/v1/ and select Sast Results Predicates in the definition field.

Endpoint Summary

The following is a list of Checkmarx One APIs that relate to Results Predicates:

API

Method

Endpoint

Description

GET Predicates

GET

/api/sast-results-predicates/{similarityID}

Gets the predicates (severity, state etc.) associated with the specified similarityID. A separate predicate is returned for each project in which that vulnerability (represented by similarityID) was identified.

POST Predicate

POST

/api/sast-results-predicates

Edit the predicate for a vulnerability based on its similarity ID and Project ID. You can adjust the State and Severity, and add a Comment.

Workflow

  1. Use GET /api/results, specifying a scan ID to get results of that scan, including the similarity IDs of the vulnerabilities.

  2. Use GET /api/sast-results-predicates/{similarityID}to get the current predicates (severity, state, and comments) of the vulnerability.

  3. Use POST /api/sast-results-predicates to update the predicates (severity, state, and comments) of the vulnerability.

POST Predicates

Update the predicate info (severity, state, and comments) of a vulnerability, as specified by the Project ID and similarity ID.

Curl Sample

curl -X POST "https://ast.checkmarx.net/api/sast-results-predicates" -H  "accept: */*" -H  "Content-Type: application/json" -d "[{"similarityId":"-1094519905","projectId":"dad0591e-c35d-44a9-8648-198158ec6f29","severity":"HIGH","state":"TO_VERIFY","comment":"My new comment."}]"

Media Type (header)

Authorization: Bearer <access_token>

Accept: application/json

Parameters

Body Parameters

Parameter

Mandatory

Type

Enums

Description

similarityId

yes

string

-

The unique identifier of a specific instance of a vulnerability.

projectId

yes

string

-

The unique identifier of the Project for which the predicate of this vulnerability will be changed.

severity

no

string

  • HIGH

  • MEDIUM

  • LOW

  • INFO

Specify the severity of the vulnerability.

A severity level is automatically associated with each result based on the vulnerability that was discovered. You can specify a new severity level for this vulnerability instance.

state

no

string

  • TO_VERIFY

  • NOT_EXPLOITABLE

  • PROPOSED_NOT_EXPLOITABLE

  • CONFIRMED

  • URGENT

Specify the current state of this vulnerability. The initial state of all new vulnerabilities is automatically set as TO_VERIFY. You can specify a new State based on your assessment of this vulnerability instance.

comment

no

string

-

You can add a comment, describing why the state or severity was changed.

Max length: 1024

Success Response

Code: 200 successful operation

There is no body for the success response.

Error Responses