Query Editor API Compatibility

Overview

This page details the APIs and their changes in the new QueryEditor version.

In this version of QueryEditor, most of the APIs were improved to work with the new UI. Due to this update, Checkmarx cannot ensure their backward compatibility. Ensure your environment is updated before using a changed API.

Details:

SAST: APIs related explicitly to the QueryEditor SAST engine. These APIs will be gradually supported on other engines (like KICS)
NEWUI: APIs related to the UI and templates; these APIs are relevant to the QueryEditor UI/UX.
ASYNC: APIs are asynchronous and will return the request UUID. The process will run in the background, and to check the progress/final result, please use the get request API:

Flow Mechanism

The API flow mechanism to create/run a query and obtain the results has changed:

Old version:

Create Session
Detect Languages
ASYNC Scan Project
1. Return the Scan Project request number (1)
⏳Check if the SAST Engine is ready to use
1. Wait for Scan to finish (get sast-status API)
ASYNC Compile Query
1. Return the Run Query request number (2)
⏳Check if the query compilation has finished
1. Wait for query compilation to finish (get request-status API)
Create Query
ASYNC Run Query
1. Return the Run Query request number (3)
⏳Check if the run request status has finished
1. Wait for the run query to finish (get request-status API)
2. Get all the results/debug message structure.

New Version:

ASYNC Create Session
1. Starts the Detect Languages process.
2. Return the Detect Languages request identifier (UUID)
⏳Check the Detect Languages request
1. Wait for Detect Languages to finish (get request-status API)
ASYNC Scan Project
1. Return the Scan Project request identifier (UUID)
⏳Check if the SAST Engine is ready to use
1. Wait for Scan to finish (get request-status API)
ASYNC Create Query
1. Compiles the query
  1. The Validate Queries API could also be triggered to validate/compile queries.
2. Return the Create Query request identifier.
⏳Check if the query was created
1. Wait for the create query to finish (get request-status API)
ASYNC Run Query
1. Return the Run Query request identifier.
⏳Check if the run request status has finished
1. Wait for the run query to finish (get request-status API)
Get Results
1. Get Vulnerabilities
  1. Get Vulnerability Data (attack vector)
2. Get Debug Messages

APIs version comparison

A lot of changes were made to improve the QueryEditor experience. One of the primary changes is that almost all the APIs have the sessionId as a required parameter. This will allow it to match all of its operations to a unique session and apply filter permissions to that operation.

Sessions

APIs related to QueryEditor sessions:

Description	Old API	New API	Details
Create Session ASYNC	[POST] `/sessions` Request Body: { "projectId": "58d5807b-bd11-4ec3-93ef-e3ca36c40b0f", "scanId": "737c64f3-0c86-4cae-9e27-e2ef0b221a90", "timeout": 30, #seconds "fromZip": true } Response: { "id": "a888aa5a-d207-4ad0-8bfa-0743d6ca0e0d", "status": "ALLOCATED", "scanId": "737c64f3-0c86-4cae-9e27-e2ef0b221a90" }	[POST] `/sessions` Request Body: { "projectId": "58d5807b-bd11-4ec3-93ef-e3ca36c40b0f", "scanId": "737c64f3-0c86-4cae-9e27-e2ef0b221a90", "scanner": "sast", "timeout": 30, #seconds "uploadUrl": "https://cx.one.com/storage/uploads/75d4fe35-965a-4506-b226-e0155ec84c34/231d5d89-4cf2-45e5-8cb0-6be6b072548b" } Notice The `uploadUrl` & `scanner` are new fields. `scanner`: it will depend on the engine (ex, `sast` or `iacs`) `uploadUrl` is the URL that comes from [POST] `/sources` API Response: { "id": "a888aa5a-d207-4ad0-8bfa-0743d6ca0e0d", "data": { "requestId": "a888aa5a-d207-4ad0-8bfa-0743d6ca0e0d", "status": "Status_ALLOCATED", "queryFilters": [ "Java", "Javascript", "Common" ], "queryBuilder": true, "applicationAssociation": false, "permissions": { "tenant": { "view": true, "update": true, "create": true, "delete": true }, "application": { "view": false, "update": false, "create": false, "delete": false }, "project": { "view": true, "update": true, "create": true, "delete": true } } } }	It's the same API but with a different mechanism. Previously, only the session was created, and other APIs would detect languages. Now, the same API does both (create session and detect languages). The new version will also return information relevant to the UI, like `permissions`, the detect languages `requestId`… Note The Detect Languages process is an asynchronous operation. Please wait and check for the response status using the request status API.
Get Active Sessions	[GET] `/sessions` Parameters: `projectId`: project identifier `scanId`: scan identifier (not used) Response: { "available": true, "metadata": [ { "session_id": "a888aa5a-d207-4ad0-8bfa-0743d6ca0e0d", "tenant_id": "5d4fe35-965a-4506-b226-e0155ec84c34", "project_id": "58d5807b-bd11-4ec3-93ef-e3ca36c40b0f", "source_id": "8d684c60-3d39-47c9-822f-0de5d1983edb", "worker_info": { "worker_id": "sast-engine-session-dynamic-a888aa5a", "worker_address": "10.42.0.241" }, "status": 1 } ] }	NOT IMPLEMENTED	This API was not necessary on the new QueryEditor version.
Get Session Details	[GET] `/sessions/{id}` Parameters: `id`: The session ID Response: { "session_id": "a888aa5a-d207-4ad0-8bfa-0743d6ca0e0d", "tenant_id": "5d4fe35-965a-4506-b226-e0155ec84c34", "project_id": "58d5807b-bd11-4ec3-93ef-e3ca36c40b0f", "source_id": "8d684c60-3d39-47c9-822f-0de5d1983edb", "worker_info": { "worker_id": "sast-engine-session-dynamic-a888aa5a", "worker_address": "10.42.0.241" }, "status": 1 }	NOT IMPLEMENTED	This API was not necessary on the new QueryEditor version.
Health Check Session	[POST] `/sessions/{id}` Parameters: `id`: The session ID Response: `204`: The resource was checked successfully. `404`: Not Found	[PATCH] `/sessions/{sessionId}` Parameters: `sessionId`: The session ID Response: `204`: The resource was checked successfully. `404`: Not Found	It's the same API, but the REST type was improved. Now, in the new version, it is a PATCH instead of a POST. Notice Please note that the parameter names have changed from `id` to `sessionId` .
Delete Session	[DELETE] `/sessions/{id}` Parameters: `id`: The session ID Response: `204`: The resource was deleted successfully. `404`: Not Found	[DELETE] `/sessions/{sessionId}` Parameters: `sessionId`: The session ID Response: `204`: The resource was deleted successfully. `404`: Not Found	It's the same API with the same behavior. Notice Please note that the parameter names have changed from `id` to `sessionId` .
Get Logs SAST	[GET] `/sessions/{id}/logs` Parameters: `id`: The session ID Response: `200`: The ZIP file with the SAST scan log.	[GET] `/sessions/{sessionId}/logs` Parameters: `sessionId`: The session ID Response: `200`: The ZIP file with the SAST scan log.	It's the same API with the same behavior. Notice The parameter names have changed from `id` to `sessionId`.
Get Layout Type NEWUI	N/A	[POST] `/sessions/{sessionId}/layout/{layoutType}`	Get the layout for a specific use case. The UI uses this API to support multiple engines (e.g., KICS and SAST) and, in this way, knows how to create and edit queries from fields. It is only used by the new version.

Sources

APIs related to QueryEditor scan sources (get sources tree, get source content, and scan source files with SAST engine):

Description	Old API	New API	Details
Get Sources Tree NEWUI	N/A	[GET] `/sessions/{sessionId}/sources` Parameters: `sessionId`: The session ID Response: [ { "isLeaf": false, "title": "AllScanTypes", "key": "/AllScanTypes", "children": [ { "isLeaf": false, "title": "src", "key": "/AllScanTypes/src", "children": [ { "isLeaf": true, "title": "Dockerfile", "key": "/AllScanTypes/src/Dockerfile", "children": [] }, { "isLeaf": true, "title": "pom.xml", "key": "/AllScanTypes/src/pom.xml", "children": [] } ] }, { "isLeaf": true, "title": "README.md", "key": "/AllScanTypes/README.md", "children": [] } ] } ]	API is only relevant for the new Query Editor UI to get the sources tree structure.
Get Source File Content NEWUI	N/A	[GET] `/sessions/{sessionId}/sources/{sourceId}` Parameters: `sessionId`: The session ID `sourceId`: The full path of the source code file Response: "package main\n\nimport \"fmt\"\n\nfunc main() {\n fmt.Println(\"hello world\")\n}"	API is relevant for the UI to show the source file content.
Scan Project Sources (SAST engine) ASYNC	[GET] `/sessions/{id}/project/scan` Parameters: `id`: The session ID Response: 1	[POST] `/sessions/{sessionId}/sources/scan` Parameters: `sessionId`: The session ID Response: { "id": "ddba1a3d-79b3-4663-a265-4b278a5d7b14" }	This API will perform the same operation. It’s an asynchronous operation that scans the sources. The main difference is that the new version will return a request UUID. Notice The REST URL, operation type (`POST` instead of `GET`), and parameter names have changed from `id` to `sessionId`. Note This API is an asynchronous operation, so please wait and check for the status of the result using the request status API.

Description

Old API

New API

Details

Get Sources Tree NEWUI

N/A

[GET] /sessions/{sessionId}/sources

Parameters:
- sessionId: The session ID

Response:

[
  {
    "isLeaf": false,
    "title": "AllScanTypes",
    "key": "/AllScanTypes",
    "children": [
      {
        "isLeaf": false,
        "title": "src",
        "key": "/AllScanTypes/src",
        "children": [
          {
            "isLeaf": true,
            "title": "Dockerfile",
            "key": "/AllScanTypes/src/Dockerfile",
            "children": []
          },
          {
            "isLeaf": true,
            "title": "pom.xml",
            "key": "/AllScanTypes/src/pom.xml",
            "children": []
          }
        ]
      },
      {
        "isLeaf": true,
        "title": "README.md",
        "key": "/AllScanTypes/README.md",
        "children": []
      }
    ]
  }
]

API is only relevant for the new Query Editor UI to get the sources tree structure.

Get Source File Content NEWUI

N/A

[GET] /sessions/{sessionId}/sources/{sourceId}

Parameters:
- sessionId: The session ID
- sourceId: The full path of the source code file

Response:

"package main\n\nimport \"fmt\"\n\nfunc main() {\n  fmt.Println(\"hello world\")\n}"

API is relevant for the UI to show the source file content.

Scan Project Sources (SAST engine)

ASYNC

[GET] /sessions/{id}/project/scan

Parameters:
- id: The session ID
Response:
```
1
```

[POST] /sessions/{sessionId}/sources/scan

Parameters:
- sessionId: The session ID

Response:

{
  "id": "ddba1a3d-79b3-4663-a265-4b278a5d7b14"
}

This API will perform the same operation. It’s an asynchronous operation that scans the sources.

The main difference is that the new version will return a request UUID.

Notice

The REST URL, operation type (POST instead of GET), and parameter names have changed from id to sessionId.

Note

This API is an asynchronous operation, so please wait and check for the status of the result using the request status API.

Queries

APIs related to QueryEditor SAST queries:

Description	Old API	New API	Details
Get Queries	[GET] `/queries` Parameters: `projectId`: The project ID Response: [ { "id": -7467647684143290000, "name": "SQL_Injection", "group": "Go_High_Risk", "level": "corp", "lang": "Go", "path": "Go/Go_High_Risk/SQL_Injection", "isExecutable": true } ]	[GET] `/sessions/{sessionId}/queries` Parameters: `sessionId`: The session ID `level`: Parameter to filter queries by their level. `ids`: Parameter to filter queries by their IDs. `filters`: Parameter to define the filters of queries. Language on SAST or Technology on IaC. Response: [ { "isLeaf": false, "title": "JavaScript", "key": "javascript", "children": [ { "isLeaf": false, "title": "Tenant", "key": "tenant", "children": [ { "isLeaf": false, "title": "Common_Best_Coding_Practice", "key": "Common_Best_Coding_Practice", "children": [ { "isLeaf": true, "title": "Assigning_instead_of_Comparing", "key": "IFZXG2LHNZUW4Z27NFXHG5DFMFSF633GL5BW63LQMFZGS3TH", "children": [] }, { "isLeaf": true, "title": "Comparing_instead_of_Assigning", "key": "INXW24DBOJUW4Z27NFXHG5DFMFSF633GL5AXG43JM5XGS3TH", "children": [] }, { "isLeaf": true, "title": "Declaration_Of_Catch_For_Generic_Exception", "key": "IRSWG3DBOJQXI2LPNZPU6ZS7INQXIY3IL5DG64S7I5SW4ZLSNFRV6RLYMNSXA5DJN5XA", "children": [] }, { "isLeaf": true, "title": "Detection_Of_Error_Condition_Without_Action", "key": "IRSXIZLDORUW63S7J5TF6RLSOJXXEX2DN5XGI2LUNFXW4X2XNF2GQ33VORPUCY3UNFXW4", "children": [] }, { "isLeaf": true, "title": "Hardcoded_Absolute_Path", "key": "JBQXEZDDN5SGKZC7IFRHG33MOV2GKX2QMF2GQ", "children": [] }, { "isLeaf": true, "title": "Insufficient_Logging_Of_Database_Actions", "key": "JFXHG5LGMZUWG2LFNZ2F6TDPM5TWS3THL5HWMX2EMF2GCYTBONSV6QLDORUW63TT", "children": [] } ] } ] } ] } ]	This API has the same goal but different implementations, parameters, and responses.
Get Queries Metadata	[GET] `/queries/metadata` Response: [ { "lang": "JAVA", "name": "Find_DB_Out", "memberOf": "CxList", "documentation": "", "returnType": "integer", "kind": "method", "parameters": [ { "name": "param", "label": "CxList", "documentation": "" } ] } ]	NOT IMPLEMENTED	This API was not necessary on the new QueryEditor version. We can get the metadata for each query for performance reasons.
Get Query Data (Metadata & Source)	Get Query Source [GET] `/query/{level}/{path}` deprecated [GET] `/queries/{level}/{path}` Parameters: `level`: The query level `path`: The query path Response: { "id": -7467647684143290000, "source": "CxList inputPaths = Find_Inputs();", "level": "proj1", "path": "Go/Go_High_Risk/SQL_Injection/SQL_Injection.cs", "modified": "16/05/2010 UTC", "cwe": 77, "severity": 3, "isExecutable": false, "cxDescriptionID": 1337, "queryDescriptionID": "Command_Injection_Go" }	Get Query Source & Metadata [GET] `/sessions/{sessionId}/queries/{editorQueryId}` Parameters: `sessionId`: The session ID `editorQueryId`: The generated identifier (`key` from the previous API). `includeMetadata`: Parameter to define if the metadata object should be included in the response. `includeSource`: Parameter to define if the source of the query object should be included in the response. Response: { "id": "2syswoof68vqZkernrZQJhjb9QwRZ4VxooQaVsFxbf3q0zQnGvjiVDev200INh08i3SircSio8adEE4G9niVbPZeA", "name": "SQL_Injection", "level": "project", "path": "CSharp/CSharp_High_Risk/SQL_Injection", "source": "result = Find_SQL_Injection();", "metadata": { "group": "CSharp_Low_Visibility", "severity": "high", "language": "CSharp", "cwe": 566, "description": 778, "executable": true } }	The new version allows a unique API to get query metadata and source.
Create/Override Query ASSYNC	[POST] `/queries/` Request Body: { "path": "queries/Java/Java_Low_Visibility/", "name": "Open_Redirect", "source": "CxList redirect = Find_Redirects()", "metadata": { "Cwe": 10, "Severity": 2, "IsExecutable": true, "CxDescriptionID": 1234 } } Response: `204`: The resource was checked successfully. `404`: Not Found `500`: Internal Server Error	[POST] `/queries/{sessionId}/queries` Parameters: `sessionId`: The session ID Request Body: { "name": "MyQuery", "level": "65209b84-2de0-40be-9e5a-e21ac658f977" # it means that it will be an override "language": "Javascript", "group": "group-1", "severity": "critical", "executable": true, "presets": [ "0", "2" ], "cwe": 123, "description": 456 } Response: { "id": "5cc46f82-8f9f-11ee-b9d1-0242ac120002" }	It's the same API with the same goal but a different approach. The API is an asynchronous operation that checks the request status. The request body has not been changed; it does not require the path and `metadata` to change. This API can be overridden per tenant/application in the new version when the `level` is used. Possible values: `Tenant` `Project` `Application` Notice In the new version, this operation requires a session. Note This API is an asynchronous operation, so please wait and check for the status of the result using the request status API.
Delete Query ASSYNC	[DELETE] `/queries/{level}/{path}` Parameters: `level`: The query level `path`: The query path Response: `204`: The resource was deleted successfully. `404`: Not Found	[DELETE] `/session/{sessionId}/queries/{editorQueryId}` Parameters: `sessionId`: The session ID `editorQueryId`: The generated query identifier (`key` from get queries API). Response: { "id": "4233cd92-8fa0-11ee-b9d1-0242ac120002" }	It's the same API but relies on the `sessionId` and the generated `editorQueryId`. Note This API is an asynchronous operation, so please wait and check for the status of the result using the request status API.
Update Query (Source & Metadata) ASSYNC	Update Multiple Query Metadata & Source [PUT] `/queries/{level}/{path}` deprecated [PUT] `/queries/{session-id}/{level}` Parameters: `level`: The query level `path`: The query path Request Body: [ { "path": "queries/Java/Java_Low_Visibility/Open_Redirect/Open_Redirect.cs", "name": "Open_Redirect", "source": "CxList redirect = Find_Redirects()" } ] Response: `200`: Ok `404`: Not Found	Update Query Metadata [PUT] `/sessions/{sessionId}/queries/{editorQueryId}/metadata` Parameters: `sessionId`: The session ID `editorQueryId`: The generated query identifier (`key` from get queries API). Request Body: { "severity": "Critical" } Response: { "id": "4233cd92-8fa0-11ee-b9d1-0242ac120002" }	These APIs were split into two because QueryEditor doesn’t have a way to edit multiple metadata, but updating multiple sources is possible. Currently, only Severity can be updated when it comes to metadata. This API overrode and updated query source/metadata in the previous version. Notice The REST URL and the parameter names have changed to`sessionId` instead of `session-id`. Note This API is an asynchronous operation, so please wait and check for the status of the result using the request status API.
Update Query (Source & Metadata) ASSYNC		Update Multiple Query Sources [PUT] `/sessions/{sessionId}/queries/source` Parameters: `sessionId`: The session ID Request Body: [ { "id": "IN4C2R3PFVDW6X2INFTWQX2SNFZWWLKTKFGF6SLONJSWG5DJN5XA====", "source": "result = Find_Interactive_Inputs()" } ] Response: { "id": "4233cd92-8fa0-11ee-b9d1-0242ac120002" }
Validate Queries ASSYNC	[POST] `/sessions/{id}/queries/compile` Parameters: `id`: The session ID Request Body: [ { "id": 346558629760677700, "source": "result = Find_Interactive_Inputs()" } ] Response: 2	[POST] `/sessions/{sessionId}/queries/validate` Parameters: `id`: The session ID Request Body: [ { "id": "IN4C2R3PFVDW6X2INFTWQX2SNFZWWLKTKFGF6SLONJSWG5DJN5XA====", "source": "result = Find_Interactive_Inputs()" } ] Response: { "id": "a4082a9a-847e-11ee-b962-0242ac120002" }	The same API is also an asynchronous request to return the request identifier. The REST URL has been changed to `validate` because each engine has a meaning for each query. For SAST, validate means compiling the query. Notice The REST URL and the parameter names have been changed from `id` to `sessionId`. Note This API is an asynchronous operation, so please wait and check for the status of the result using the request status API.
Run Queries ASSYNC	[POST] `/sessions/{id}/queries/run` Parameters: `id`: The session ID Request Body: [ { "id": 346558629760677700, "source": "result = Find_Interactive_Inputs()" } ] Response: 3	[POST] `/sessions/{sessionId}/queries/run` Parameters: `sessionID`: The session ID Request Body: [ { "id": "IN4C2R3PFVDW6X2INFTWQX2SNFZWWLKTKFGF6SLONJSWG5DJN5XA====", "source": "result = Find_Interactive_Inputs()" } ] Response: { "id": "9e061db4-847e-11ee-b962-0242ac120002" }	The same API also has an asynchronous request to return the request identifier. The result for the run will be different. Notice Please be aware that the REST URL and the parameter names have changed from `id` to `sessionId`. Note This API is an asynchronous operation, so please wait and check for the status of the result using the request status API.
Cancel Queries Execution	[GET] `/sessions/{id}/queries/cancel` Parameters: `sessionId`: The session ID Response: `200`: OK `404`: Not found `500`: Internal Server Error	NOT IMPLEMENTED	This API is retrieved using the get request status API.

Requests

APIs related to QueryEditor asynchronous requests:

Notice

Please check the ASYNC operations.

Description	Old API	New API	Details
Check SAST Engine Status	[GET] `/sessions/{id}/sast-status` Parameters: `id`: The session ID Response: { "ready": false, "message": "The SAST Engine is not ready yet!" }	[GET] `/sessions/{sessionId}/request/{requestId}` Parameters: `sessionId`: The session ID `requestId`: The request ID, uuid of the specific request: Create Query Delete Query Update Query metadata Update Query source Validate Queries Run Queries Scan Sources Response: Request Status not ready { "completed": false, "value": { "ready": false, "message": "The SAST Engine is not ready yet" } } Create Query Response request status. { "completed": true, "status": "Finished", "value": { "id": "2syswoof68vqZkernrZQJhjb9QwRZ4VxooQaVsFxbf3q0zQnGvjiVDev200INh08i3SircSio8adEE4G9niVbPZeA" } } Delete Query Response request status. { "completed": true, "status": "Finished" }	There is a request UUID for each asynchronous operation and only one API to get the result. Each scan status operation will return the same response fields. This improves the experience and avoids duplicated efforts to check the status. Note The API URL and the parameter names have changed from `id` to `sessionId`.
Check Request Status	[GET] `/sessions/{id}/request-status` Parameters: `id`: The session ID `type`: Type of status to get, possible values: `0`: Check Languages request status `1`: Check Scan request status `2`: Check Compile Query request status `3`: Check Run Query request status Response: { "completed": false, "value": null }
Cancel Request Execution	[GET] `/sessions/{id}/queries/cancel` Parameters: `sessionId`: The session ID Response: `200`: OK `404`: Not found `500`: Internal Server Error	[PUT] `/sessions/{sessionId}/request/{requestId}/cancel` Parameters: `sessionId`: The session ID `requested`: The request ID, UUID of the specific request: Create Query Delete Query Update Query metadata Update Query source Validate Queries Run Queries Scan Sources Response: `200`: OK `404`: Not found `500`: Internal Server Error	Previously, there was an option to cancel the query execution. It was missing other asynchronous requests like scan sources, create/edit/delete query, compile/validate queries… Now, you can reuse the request ID and cancel every asynchronous operation. Note The API URL and the parameter names have changed from `id` to `sessionId`.

Description

Old API

New API

Details

Check SAST Engine Status

[GET] /sessions/{id}/sast-status

Parameters:
- id: The session ID

Response:

{
  "ready": false,
  "message": "The SAST Engine is not ready yet!"
}

[GET] /sessions/{sessionId}/request/{requestId}

Parameters:
- sessionId: The session ID
- requestId: The request ID, uuid of the specific request:
  - Create Query
  - Delete Query
  - Update Query metadata
  - Update Query source
  - Validate Queries
  - Run Queries
  - Scan Sources

Response:

Request Status not ready

{
  "completed": false,
  "value": {
    "ready": false,
    "message": "The SAST Engine is not ready yet"
  }
}

Create Query Response request status.

{
  "completed": true,
  "status": "Finished",
  "value": {
    "id": "2syswoof68vqZkernrZQJhjb9QwRZ4VxooQaVsFxbf3q0zQnGvjiVDev200INh08i3SircSio8adEE4G9niVbPZeA"
  }
}

Delete Query Response request status.

{
  "completed": true,
  "status": "Finished"
}

There is a request UUID for each asynchronous operation and only one API to get the result.

Each scan status operation will return the same response fields.

This improves the experience and avoids duplicated efforts to check the status.

Note

The API URL and the parameter names have changed from id to sessionId.

Check Request Status

[GET] /sessions/{id}/request-status

Parameters:
- id: The session ID
- type: Type of status to get, possible values:
  - 0: Check Languages request status
  - 1: Check Scan request status
  - 2: Check Compile Query request status
  - 3: Check Run Query request status

Response:

{
  "completed": false,
  "value": null
}

Cancel Request Execution

[GET] /sessions/{id}/queries/cancel

Parameters:
- sessionId: The session ID
Response:
- 200: OK
- 404: Not found
- 500: Internal Server Error

[PUT] /sessions/{sessionId}/request/{requestId}/cancel

Parameters:
- sessionId: The session ID
- requested: The request ID, UUID of the specific request:
  - Create Query
  - Delete Query
  - Update Query metadata
  - Update Query source
  - Validate Queries
  - Run Queries
  - Scan Sources
Response:
- 200: OK
- 404: Not found
- 500: Internal Server Error

Previously, there was an option to cancel the query execution.

It was missing other asynchronous requests like scan sources, create/edit/delete query, compile/validate queries…

Now, you can reuse the request ID and cancel every asynchronous operation.

Note

The API URL and the parameter names have changed from id to sessionId.

Results

APIs related to QueryEditor SAST query results (vulnerabilities, debug messages, and attach vector).

These are new APIs that replace the old query mechanism. Previously, Run queries returned all the results and debug messages for each run. Now, Run queries return the run ID, and the results/debug messages are divided into the following 4 different APIs:

Get Results: Get all the results in the data summary tree for all the session runs.
Get Vulnerabilities: get all vulnerabilities related to a given result (result key from previous API)
Get Vulnerability: get specific vulnerability data, such as the attack vector for the given vulnerability (vulnerabilityId from the previous API)
Get Debug Messages: get debug messages for a specific result (result key from get results API)

Description	Old API	New API	Details
Get Results (Tree)	N/A Notice All this information was retrieved in the Run queries operation for the old version.	[GET] `/sessions/{sessionId}/results` Parameters: `sessionId`: The session ID `runId`: Parameter to filter results by the query execution run id. `hideEmpty`: Parameter to hide queries with 0 results (`true` or `false`). Response: [ { "isLeaf": false, "title": "Run 1", "key": "0cbcb480-7411-11ee-b962-0242ac120002", "children": [ { "isLeaf": false, "title": "Javascript", "key": "0cbcb480-7411-11ee-b962-0242ac120002_Javascript", "children": [ { "isLeaf": true, "title": "SQL_Injection (10)", "key": "resultid1", "data": { "severity": "high" }, "children": [] } ] } ] }, { "isLeaf": false, "title": "Run 2", "key": "2cd5f204-7411-11ee-b962-0242ac120002", "children": [ { "isLeaf": false, "title": "Javascript", "key": "2cd5f204-7411-11ee-b962-0242ac120002_Javascript", "children": [ { "isLeaf": true, "title": "SQL_Injection (1)", "key": "resultid2", "data": { "severity": "high" }, "children": [] } ] } ] } ]	This is a new API that returns a summary of the results.
Get Vulnerabilites		[GET] `/sessions/{sessionId}/results/{resultId}/vulnerabilities` Parameters: `sessionId`: The session ID `resultId`: The result ID. `pageSize`: The number of results per page. `currentPage`: The current page. Response: { "data": [ { "vulnerabilityId": "8a290068-4883-4289-a0aa-ef03d7cf4d09", "sourceFile": "LoginPage.cs", "sourceLine": 10, "sourceId": 99, "sourceName": "Login", "sourceType": "MethodInvokeExpr", "destinationFile": "LoginPage.cs", "destinationLine": 10, "destinationId": 99, "destinationName": "Login", "destinationType": "MethodInvokeExpr", "state": "To Verify", "pathSize": 4 }, { "vulnerabilityId": "d9421dc4-1e6d-4e26-b384-1dbc4772f779", "sourceFile": "UserInput.cs", "sourceLine": 24, "sourceId": 100, "sourceName": "GetUserInput", "sourceType": "MethodInvokeExpr", "destinationFile": "Validation.cs", "destinationLine": 78, "destinationId": 101, "destinationName": "ValidateInput", "destinationType": "MethodInvokeExpr", "state": "Confirmed", "pathSize": 3 }, { "vulnerabilityId": "d1adadf7-ecbb-48de-beab-9e360c290fe8", "sourceFile": "Database.cs", "sourceLine": 15, "sourceId": 102, "sourceName": "ConnectDB", "sourceType": "MethodInvokeExpr", "destinationFile": "Database.cs", "destinationLine": 20, "destinationId": 103, "destinationName": "DisconnectDB", "destinationType": "MethodInvokeExpr", "state": "Fixed", "pathSize": 2 }, { "vulnerabilityId": "cbe7af73-4de1-41ee-bfd3-521f45f77266", "sourceFile": "SessionManager.cs", "sourceLine": 30, "sourceId": 104, "sourceName": "CreateSession", "sourceType": "MethodInvokeExpr", "destinationFile": "SessionManager.cs", "destinationLine": 45, "destinationId": 105, "destinationName": "DestroySession", "destinationType": "MethodInvokeExpr", "state": "Won't Fix", "pathSize": 6 }, { "vulnerabilityId": "24a85520-76d8-4b76-9cc9-4561aeb02515", "sourceFile": "Authenticator.cs", "sourceLine": 52, "sourceId": 106, "sourceName": "Authenticate", "sourceType": "MethodInvokeExpr", "destinationFile": "Logger.cs", "destinationLine": 67, "destinationId": 107, "destinationName": "LogEvent", "destinationType": "MethodInvokeExpr", "state": "Reviewed", "pathSize": 5 }, { "vulnerabilityId": "9e6ca0a7-6cb6-4329-bb68-4f6bd342c6c9", "sourceFile": "Permission.cs", "sourceLine": 42, "sourceId": 108, "sourceName": "CheckPermission", "sourceType": "MethodInvokeExpr", "destinationFile": "Permission.cs", "destinationLine": 55, "destinationId": 109, "destinationName": "GrantPermission", "destinationType": "MethodInvokeExpr", "state": "Duplicate", "pathSize": 1 }, { "vulnerabilityId": "e49b59dd-8c4e-4a6d-8aeb-fa4e3038b4e7", "sourceFile": "ErrorHandler.cs", "sourceLine": 60, "sourceId": 110, "sourceName": "HandleError", "sourceType": "MethodInvokeExpr", "destinationFile": "Notification.cs", "destinationLine": 75, "destinationId": 111, "destinationName": "NotifyUser", "destinationType": "MethodInvokeExpr", "state": "New", "pathSize": 7 }, { "vulnerabilityId": "965f690f-87c2-4a7c-b7be-d44c71af4066", "sourceFile": "Encryption.cs", "sourceLine": 33, "sourceId": 112, "sourceName": "EncryptData", "sourceType": "MethodInvokeExpr", "destinationFile": "Decryption.cs", "destinationLine": 48, "destinationId": 113, "destinationName": "DecryptData", "destinationType": "MethodInvokeExpr", "state": "Reopened", "pathSize": 8 }, { "vulnerabilityId": "25dfa98f-2a7b-40cd-be77-5d31addb05fd", "sourceFile": "APIController.cs", "sourceLine": 27, "sourceId": 114, "sourceName": "SendRequest", "sourceType": "MethodInvokeExpr", "destinationFile": "APIController.cs", "destinationLine": 40, "destinationId": 115, "destinationName": "ReceiveResponse", "destinationType": "MethodInvokeExpr", "state": "Closed", "pathSize": 9 }, { "vulnerabilityId": "91b55ec3-9549-48e8-b767-5fa446eda9ea", "sourceFile": "UserManager.cs", "sourceLine": 18, "sourceId": 116, "sourceName": "CreateUser", "sourceType": "MethodInvokeExpr", "destinationFile": "UserManager.cs", "destinationLine": 25, "destinationId": 117, "destinationName": "DeleteUser", "destinationType": "MethodInvokeExpr", "state": "Deferred", "pathSize": 10 } ], "totalCount": 50 }	API to get all the vulnerabilities related to a given result.
Get Vulnerability Data (Attack Vector)		[GET] `/sessions/{sessionId}/results/{resultId}/vulnerabilities/{vulnerabilityId}` Parameters: `sessionId`: The session ID `resultId`: The result ID. `vulnerabilityId`: The vulnerability ID Response: { "sourceFile": "LoginPage.cs", "sourceLine": 10, "sourceId": 99, "sourceName": "Login", "sourceType": "MethodInvokeExpr", "destinationFile": "LoginPage.cs", "destinationLine": 10, "destinationId": 99, "destinationName": "Login", "destinationType": "MethodInvokeExpr", "state": "To Verify", "pathSize": 4, "nodes": [ { "name": "login", "fullName": "LoginPage.Controls.login", "typeName": "string", "line": 40, "column": 72, "length": 5, "domType": "UnknownReference", "nodeId": 680 } ] }	API to get the attack vector information.
Get Debug Messages		[GET] `/sessions/{sessionId}/results/{resultId}/debug-messages` Parameters: `sessionId`: The session ID `resultId`: The result ID. `vulnerabilityId`: The vulnerability ID `pageSize`: The number of results per page. `currentPage`: The current page. Response: { "data": [ { "messageLine": 200, "debugMessage": "var x = 2", "timestamp": "2023-08-24T09:24:18.169Z" }, { "messageLine": 201, "debugMessage": "x += 1", "timestamp": "2023-08-24T09:24:19.169Z" }, { "messageLine": 202, "debugMessage": "console.log(x)", "timestamp": "2023-08-24T09:24:20.169Z" }, { "messageLine": 203, "debugMessage": "if (x > 2) { x = 0; }", "timestamp": "2023-08-24T09:24:21.169Z" }, { "messageLine": 204, "debugMessage": "x *= 3", "timestamp": "2023-08-24T09:24:22.169Z" }, { "messageLine": 205, "debugMessage": "x /= 4", "timestamp": "2023-08-24T09:24:23.169Z" }, { "messageLine": 206, "debugMessage": "x -= 2", "timestamp": "2023-08-24T09:24:24.169Z" }, { "messageLine": 207, "debugMessage": "return x", "timestamp": "2023-08-24T09:24:25.169Z" }, { "messageLine": 208, "debugMessage": "function reset() { x = 0; }", "timestamp": "2023-08-24T09:24:26.169Z" }, { "messageLine": 209, "debugMessage": "x = Math.pow(x, 2)", "timestamp": "2023-08-24T09:24:27.169Z" } ], "totalCount": 50 }	Get the debug messages for a specific result.

Assistant SAST

APIs related to Query Builder Assistant (GPT):

Notice

The SAST QueryEditor uses the following APIs.

Descriprition	Old API	New API	Details
Get Query Builder (GPT) History	[GET] `/gpt/{id}` Parameters: `id`: The session ID Response: [ { "role": "assistant", "content": "gpt response" } ]	[GET] `/sessions/{sessionId}/gpt` Parameters: `sessionId`: The session ID Response: [ { "role": "assistant", "content": "Sure, here's a simple example of a Checkmarx Query Language (CxQL) query that would check for variables with \"creditCard\" in the name being assigned values that match the pattern for a credit card number. This is a rudimentary example, and real-world situations would likely require a more complex query.\n\n```CxQL\nCxList creditCardStrings = All.FindByRegex(@\"\\b(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14}\|6(?:011\|5[0-9][0-9])[0-9]{12}\|3[47][0-9]{13}\|3(?:0[0-5]\|[68][0-9])[0-9]{11}\|(?:2131\|1800\|35\\d{3})\\d{11})\\b\");\n\nCxList creditCardVariables = All.FindByShortName(\"creditCard\");\n\nCxList possibleCreditCardStores = creditCardVariables.FindByAssignmentSide(CxList.AssignmentSide.Left);\nCxList creditCardAssignments = creditCardStrings.GetAssigner();\n\nresult = possibleCreditCardStores * creditCardAssignments;\n```\nThis will look for any assignments where the variable's short name includes \"creditCard\" and the assigned value matches the regex pattern for credit card numbers. Any such assignment is returned as a possible plain text storage of a credit card number.\n\nPlease note that this example produces many false positives as it focuses on the variable name rather than the actual stored value. A practical implementation is a lot more complex as it should consider encrypted card values, values coming from secure tokens, etc." } ]	It has the same API, same parameter, and result. Note Please note that the API URL and the parameter names have changed from `id` to `sessionId`.
Delete Query Builder (GPT) History	[DELETE] `/gpt/{id}` Parameters: `id`: The session ID Response: `204`: No Content `400`: Bad Request `500`: Internal Server Error	[DELETE] `/sessions/{sessionId}/gpt` Parameters: `sessionId`: The session ID Response: `204`: No Content `400`: Bad Request `500`: Internal Server Error	It has the same API, same parameter, and result. Note Please note that the API URL and the parameter names have changed from `id` to `sessionId`.
Process Query Builder (GPT) Request	[POST] `/gpt/{id}` Parameters: `id`: The session ID Request Body: { "prompt": "string" } Response: [ { "role": "assistant", "content": "gpt response" } ]	[POST] `/sessions/{sessionId}/gpt` Parameters: `sessionId`: The session ID Request Body: { "prompt": "Can you generate a Checkmarx query to find if credit card numbers are stored as plain text?" } Response: [ { "role": "assistant", "content": "Sure, here's a simple example of a Checkmarx Query Language (CxQL) query that would check for variables with \"creditCard\" in the name being assigned values that match the pattern for a credit card number. This is a rudimentary example, and real-world situations would likely require a more complex query.\n\n```CxQL\nCxList creditCardStrings = All.FindByRegex(@\"\\b(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14}\|6(?:011\|5[0-9][0-9])[0-9]{12}\|3[47][0-9]{13}\|3(?:0[0-5]\|[68][0-9])[0-9]{11}\|(?:2131\|1800\|35\\d{3})\\d{11})\\b\");\n\nCxList creditCardVariables = All.FindByShortName(\"creditCard\");\n\nCxList possibleCreditCardStores = creditCardVariables.FindByAssignmentSide(CxList.AssignmentSide.Left);\nCxList creditCardAssignments = creditCardStrings.GetAssigner();\n\nresult = possibleCreditCardStores * creditCardAssignments;\n```\nThis will look for any assignments where the variable's short name includes \"creditCard\" and the assigned value matches the regex pattern for credit card numbers. Any such assignment is returned as a possible plain text storage of a credit card number.\n\nPlease note that this example produces many false positives as it focuses on the variable name rather than the actual stored value. A practical implementation is a lot more complex as it should consider encrypted card values, values coming from secure tokens, etc." } ]	It has the same API, same parameter, and result. Note Please note that the API URL and the parameter names have changed from `id` to `sessionId`.

Descriprition

Old API

New API

Details

Get Query Builder (GPT) History

[GET] /gpt/{id}

Parameters:
- id: The session ID

Response:

[
  {
    "role": "assistant",
    "content": "gpt response"
  }
]

[GET] /sessions/{sessionId}/gpt

Parameters:
- sessionId: The session ID

Response:

[
  {
    "role": "assistant",
    "content": "Sure, here's a simple example of a Checkmarx Query Language (CxQL) query that would check for variables with \"creditCard\" in the name being assigned values that match the pattern for a credit card number. This is a rudimentary example, and real-world situations would likely require a more complex query.\n\n```CxQL\nCxList creditCardStrings = All.FindByRegex(@\"\\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})\\b\");\n\nCxList creditCardVariables = All.FindByShortName(\"*creditCard*\");\n\nCxList possibleCreditCardStores = creditCardVariables.FindByAssignmentSide(CxList.AssignmentSide.Left);\nCxList creditCardAssignments = creditCardStrings.GetAssigner();\n\nresult = possibleCreditCardStores * creditCardAssignments;\n```\nThis will look for any assignments where the variable's short name includes \"creditCard\" and the assigned value matches the regex pattern for credit card numbers. Any such assignment is returned as a possible plain text storage of a credit card number.\n\nPlease note that this example produces many false positives as it focuses on the variable name rather than the actual stored value. A practical implementation is a lot more complex as it should consider encrypted card values, values coming from secure tokens, etc."
  }
]

It has the same API, same parameter, and result.

Note

Please note that the API URL and the parameter names have changed from id to sessionId.

Delete Query Builder (GPT) History

[DELETE] /gpt/{id}

Parameters:
- id: The session ID
Response:
- 204: No Content
- 400: Bad Request
- 500: Internal Server Error

[DELETE] /sessions/{sessionId}/gpt

Parameters:
- sessionId: The session ID
Response:
- 204: No Content
- 400: Bad Request
- 500: Internal Server Error

It has the same API, same parameter, and result.

Note

Please note that the API URL and the parameter names have changed from id to sessionId.

Process Query Builder (GPT) Request

[POST] /gpt/{id}

Parameters:
- id: The session ID
Request Body:
```
{
  "prompt": "string"
}
```

Response:

[
  {
    "role": "assistant",
    "content": "gpt response"
  }
]

[POST] /sessions/{sessionId}/gpt

Parameters:
- sessionId: The session ID

Request Body:

{
  "prompt": "Can you generate a Checkmarx query to find if credit card numbers are stored as plain text?"
}

Response:

[
  {
    "role": "assistant",
    "content": "Sure, here's a simple example of a Checkmarx Query Language (CxQL) query that would check for variables with \"creditCard\" in the name being assigned values that match the pattern for a credit card number. This is a rudimentary example, and real-world situations would likely require a more complex query.\n\n```CxQL\nCxList creditCardStrings = All.FindByRegex(@\"\\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})\\b\");\n\nCxList creditCardVariables = All.FindByShortName(\"*creditCard*\");\n\nCxList possibleCreditCardStores = creditCardVariables.FindByAssignmentSide(CxList.AssignmentSide.Left);\nCxList creditCardAssignments = creditCardStrings.GetAssigner();\n\nresult = possibleCreditCardStores * creditCardAssignments;\n```\nThis will look for any assignments where the variable's short name includes \"creditCard\" and the assigned value matches the regex pattern for credit card numbers. Any such assignment is returned as a possible plain text storage of a credit card number.\n\nPlease note that this example produces many false positives as it focuses on the variable name rather than the actual stored value. A practical implementation is a lot more complex as it should consider encrypted card values, values coming from secure tokens, etc."
  }
]

It has the same API, same parameter, and result.

Note

Please note that the API URL and the parameter names have changed from id to sessionId.

In this section:

Query Editor API Compatibility

Overview

Flow Mechanism

APIs version comparison

Sessions

Notice

Note

Notice

Notice

Notice

Sources

Notice

Note

Queries

Notice

Note

Note

Notice

Note

Notice

Note

Notice

Note

Requests

Notice

Note

Note

Results

Notice

Assistant SAST

Notice

Note

Note

Note

Search results