CxOSA (REST) API - Open Source Analysis
This section includes CxREST APIs for working with open source analysis (CxOSA) tasks.
Get All OSA Scan Details for Project - GET /osa/scans
Get basic scan details for all CxOSA scans associated with a specified project Id. The retrieval of CxOSA scan results is performed after creating a project and performing a CxOSA scan. To create a project use POST /projects and then create a CxOSA scan by using POST /osa/scans.
Usage:
POST /projects and create a new project with default configuration settings
POST /osa/scans and create a new scan request
GET /osa/scans and get basic scan details for all scans associated with a project Id
URL
http://localhost/cxrestapi/osa/scans
Method:
GET
Media Type (header):
Authorization: Bearer <access token value>
Accept: application/json;v=1.0/2.0
URL Parameters
Required:
projectId=[string] – Unique Id of the project
Optional:
page=[integer] – Number of pages (default 1)
itemsPerPage=[integer] – Number of items per page (default 100)
Curl Sample:
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer <access token> 'http://localhost/cxrestapi/osa/scans?projectId=1'
Sample Response:
{
"findingsStatus": "string",
"id": "00000000-0000-0000-0000-000000000000",
"startAnalyzeTime": "2018-06-13T08:01:23.382Z",
"endAnalyzeTime": "2018-06-13T08:01:23.382Z",
"origin": "string",
"sourceCodeOrigin": "string",
"state": {
"id": 0,
"name": "string",
"failureReason": "string"
},
"sharedSourceLocationPaths": [
"string"
]
}
]Success Response:
Code: 200
Error Response:
Code: 400 Bad Request
Notes:
Retrieves basic scan details for all CxOSA scans associated with a specified project Id. If the request fails, it returns an error response. Possible scan states: 1= Scan not started, 2= In progress, 3= Succeeded, 4= Failed.
Get OSA Scan by Scan Id - GET /osa/scans/{scanId}
Get CxOSA scan details for the specified CxOSA scan Id. The retrieval of OSA scan details is performed after creating a CxOSA scan. To create a CxOSA scan use POST /osa/scans.
Usage:
POST /osa/scans and create a new scan request
GET /osa/scans/{scanId} and get basic details for the specified scan
URL
http://localhost/cxrestapi/osa/scan{scanId}
Method:
GET
Media Type (header):
Authorization: Bearer <access token value>
Accept: application/json;v=1.0/2.0
Parameters
Required:
scanId=[string] – Unique Id of the OSA scan
Curl Sample:
curl -X GET --header 'Accept: text/html' --header 'Authorization: Bearer <access token> 'http://localhost/cxrestapi/osa/scans/1000026'
Sample Response:
{
"findingsStatus": "CALCULATING",
"id": "82981aac-ad6e-4407-ba54-86c4ce58c6ce",
"startAnalyzeTime": "2019-11-05T09:35:07.807",
"endAnalyzeTime": "2019-11-05T09:35:25.55",
"origin": "Portal",
"sourceCodeOrigin": "Shared",
"state": {
"id": 2,
"name": "Succeeded",
"failureReason": null
},
"sharedSourceLocationPaths": [
\\\\storage\\temp\\davidp\\code samples\\bookstorewithfixes
]
}Success Response:
Code: 200 OK
Error Response:
Code: 400 Bad Request
Code: 404 Not Found
Notes:
Retrieves OSA scan details for the specified CxOSA scan Id. If the request fails, it returns an error response. Possible scan states: 1= Scan not started, 2= In progress, 3= Succeeded, 4= Failed.
Create an OSA Scan Request - POST /osa/scans
Create a new OSA scan request. The OSA scan request is performed after creating a project. To create a project use POST/projects.
Usage:
POST /projects and create a new project with default configuration settings
POST /osa/scans and create a new scan request
URL
http://localhost/cxrestapi/osa/scans
Method:
POST
Media Type (header):
Authorization: Bearer <access token value>
Content-Type: application/json;v=1.0/2.0
URL Parameters
Required:
projectId=[integer] – The Project Id associated with requested OSA scan
origin=[string] – The location from which OSA scan was requested. Portal=Default.
zippedSource=[file] – Zipped Open Source code to scan.
Curl Sample:
curl -X POST --header 'Content-Type: multipart/form-data' --header 'Accept: application/json' --header 'Authorization: Bearer <access token> -F projectId=1 -F origin=Portal 'http://localhost/cxrestapi/osa/scans'
Sample Response:
{
"scanId": "08bf382d-f74e-4170-b378-e6d97f53ab5b"
}Success Response:
Code: 202 Accepted
Error Response:
Code: 400 Bad Request
Notes:
Creates a new CxOSA scan request. If the request fails, it returns an error response.
Get All OSA File Extensions - GET /osa/fileextensions
Get all CxOSA file extension information.
Usage:
GET /osa/fileextensions and get list of file extensions supported by uploading zip file
URL
http://localhost/cxrestapi/osa/fileextensions
Method:
GET
Media Type (header):
Authorization: Bearer <access token value>
Accept: application/json;v=1.0
Parameters
None
Curl Sample:
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer <access token> 'http://localhost/cxrestapi/osa/fileextensions'
Sample Response:
6pl;6pm;a;aar;air;al;ar;asp;aspx;c;c#;c++;cc;cgi;cp;cpp;cs;csharp;cxx;deb;dll;dmg;
drpm;egg;exe;fcgi;gem;go;goc;gzip;h;hpp;html;hxx;jar;java;js;jsp;ko;m;mm;msi;nqp;
nupkg;p6;p6l;p6m;pch;perl;ph;phl;php;pl;plx;pm;psgi;py;rb;rpm;s;so;swc;swf;swift;t;
tar.bz2;tar.gz;tgz;udeb;war;whl;y;zip
Success Response:
Code: 200 OK
Error Response:
Code: 400 Bad Request
Notes:
Retrieves all CxOSA file extension information. If the request fails, it returns an error response. Open Source Analysis License should enabled in order to retrieve file extension information.
Get OSA Licenses by Id - GET /osa/licenses
Get all OSA license details for the specified OSA scan Id. The retrieval of OSA license details is performed after creating an OSA scan. To create an OSA scan use POST/osa/scans.
Usage:
POST/osa/scans and create a new scan request
GET /osa/licenses and get OSA license details for the specified scan
URL
http://localhost/cxrestapi/osa/licenses
Method:
GET
Media Type (header):
Authorization: Bearer <access token value>
Accept: application/json;v=1.0
Parameters
Required:
scanId (string) – Unique Id of the OSA scan
Curl Sample:
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer <access token> 'http://localhost/cxrestapi/osa/licenses?scanId=1000026'
Sample Response:
[
{
"id": "1F45D5ABFF7B829AB480ECBACC5F786B19670685",
"name": "ISC",
"riskLevel": "Low",
"copyrightRiskScore": 39,
"patentRiskScore": 60,
"copyLeft": "No",
"linking": "Non_Viral",
"royalityFree": "No",
"referenceType": "NPM (details available in Node Package Manager)",
"reference": null,
"url": "http://www.opensource.org/licenses/ISC"
}
]Success Response:
Code: 200 OK
Error Response:
Code: 400 Bad Request
Notes:
Retrieves all OSA license details for the specified CxOSA scan Id. If the request fails, it returns an error response.
Get OSA Scan Libraries - GET /osa/libraries
Get all the used libraries details for the specified CxOSA scan Id. The retrieval of CxOSA scan libraries details is performed after creating a project and performing an OSA scan. To create a project use POST /projects and then create an CxOSA scan by using POST /osa/scans.
Usage:
POST /projects and create a new project with default configuration settings
POST /osa/scans and create a new scan request
GET /osa/libraries and get all the used library details for the specified OSA scan
URL
http://localhost/cxrestapi/osa/libraries
Method:
GET
Media Type (header):
Authorization: Bearer <access token value>
Accept: application/json;v=1.0/2.0/3.0
URL Parameters
Required:
scanId=[string] – Unique Id of the specific scan
Optional:
page=[integer] – Number of pages (default 1)
itemsPerPage=[integer] – Number of items per page (default 100)
Curl Sample:
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer <access token> 'http://localhost/cxrestapi/osa/libraries?scanId=2ba36aea-b9d3-459c-9327-966e9f92ef47'
Sample Response:
[
{
"id": "4F66BA501DBE640A5EEF3DC2C07AAA702364B9F5",
"name": "X-editable",
"version": "1.5.1",
"releaseDate": "2016-08-31T00:00:00",
"highUniqueVulnerabilityCount": 0,
"mediumUniqueVulnerabilityCount": 0,
"lowUniqueVulnerabilityCount": 0,
"newestVersion": null,
"newestVersionReleaseDate": null,
"numberOfVersionsSinceLastUpdate": 0,
"confidenceLevel": 100,
"matchType": {
"id": 0,
"name": "SHA1",
"description": "Exact Match"
},
"licenses": [
"89690AC571DCF4C9C40C842EFED3F11171D07B29"
],
"outdated": false
},
{
"id": "60EC317D2672C6047B8DE0F1A17F8DC2D01988B4",
"name": "gd-sprest-js",
"version": "1.6.6",
"releaseDate": "2018-04-23T00:00:00",
"highUniqueVulnerabilityCount": 0,
"mediumUniqueVulnerabilityCount": 0,
"lowUniqueVulnerabilityCount": 0,
"newestVersion": "2.4.1",
"newestVersionReleaseDate": "2018-10-10T18:44:03",
"numberOfVersionsSinceLastUpdate": 68,
"confidenceLevel": 100,
"matchType": {
"id": 0,
"name": "SHA1",
"description": "Exact Match"
},
"licenses": [
"89690AC571DCF4C9C40C842EFED3F11171D07B29"
],
"outdated": true
},
{
"id": "8A807C2DF1204BA06A2222475DB4EF200E9991FE",
"name": "indigojs",
"version": "1.1.54",
"releaseDate": "2015-08-11T00:00:00",
"highUniqueVulnerabilityCount": 0,
"mediumUniqueVulnerabilityCount": 0,
"lowUniqueVulnerabilityCount": 0,
"newestVersion": "2.6.6",
"newestVersionReleaseDate": "2017-06-18T02:46:10",
"numberOfVersionsSinceLastUpdate": 80,
"confidenceLevel": 100,
"matchType": {
"id": 0,
"name": "SHA1",
"description": "Exact Match"
},
"licenses": [
"89690AC571DCF4C9C40C842EFED3F11171D07B29"
],
"outdated": true
},
{
"id": "996E682EF68612F5EFEA19BA63F48ED5615A5BBE",
"name": "jquery",
"version": "2.1.4",
"releaseDate": "2015-04-28T00:00:00",
"highUniqueVulnerabilityCount": 1,
"mediumUniqueVulnerabilityCount": 2,
"lowUniqueVulnerabilityCount": 0,
"newestVersion": "3.4.1",
"newestVersionReleaseDate": "2019-05-01T21:19:38",
"numberOfVersionsSinceLastUpdate": 14,
"confidenceLevel": 100,
"matchType": {
"id": 1,
"name": "Filename",
"description": "Filename Match"
},
"licenses": [
"89690AC571DCF4C9C40C842EFED3F11171D07B29"
],
"outdated": true
}
]
Success Response:
Code: 200 OK
Error Response:
Code: 400 Bad Request
Notes:
Retrieves all the used libraries details for the specified CxOSA scan Id. If the request fails, it returns an error response.
Get OSA Scan Vulnerabilities by Id - GET /osa/vulnerabilities
Get all the vulnerabilities for the specified CxOSA scan Id. The retrieval of CxOSA scan results is performed after creating a project and performing a CxOSA scan. To create a project use POST/projects and to create a CxOSA scan use POST/osa/scans.
Usage:
POST /projects and create a new project with default configuration settings
POST /osa/scans and create a new scan request
GET /osa/vulnerabilities and get all the vulnerabilities for the specified OSA scan
URL
http://localhost/cxrestapi/osa/vulnerabilities
Method:
GET
Media Type (header):
Authorization: Bearer <access token value>
Accept: application/json;v=1.0/2.0
Parameters
Required:
scanId=[string] – Unique Id of the OSA scan
Optional:
page=[integer] – Number of pages (default 1)
itemsPerPage=[integer] – Number of items per page (default 100)
libraryId=[string] – Filter by Library Id(s)
stateId=[integer] – Filter by State Id(s)
comment=[string] – Filter by Comment text
since=[long] – Filter by start time (not earlier than timestamp value)
until=[long] – Filter by end time (not later than timestamp value)
Curl Sample:
curl -X GET --header 'Accept: application/json' -- header 'Authorization: Bearer <access token> 'http://localhost/cxrestapi/osa/vulnerabilities?scanId=2ba36aea-b9d3-459c-9327-966e9f92ef47'
Sample Response:
[
{
"id": "213C129450B538C4C8C96EF4F17A4E0B0400B98F",
"cveName": "CVE-2019-11358",
"score": 6.1,
"severity": {
"id": 1,
"name": "Medium"
},
"publishDate": "2019-04-20T00:29:00",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
"recommendations": "Upgrade to 3.4.0",
"sourceFileName": "",
"libraryId": "996E682EF68612F5EFEA19BA63F48ED5615A5BBE",
"state": {
"id": 1,
"actionType": "Regular",
"name": "TO_VERIFY"
},
"commentsAmount": 0,
"similarityId": "jquer_CVE-2019-11358_2"
},
{
"id": "2F063BB16518102952099DAA876AD89BFB275B96",
"cveName": "CVE-2016-10707",
"score": 7.5,
"severity": {
"id": 2,
"name": "High"
},
"publishDate": "2018-01-18T23:29:00",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10707",
"description": "jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.",
"recommendations": "Upgrade to 3.4.0",
"sourceFileName": "",
"libraryId": "996E682EF68612F5EFEA19BA63F48ED5615A5BBE",
"state": {
"id": 1,
"actionType": "Regular",
"name": "TO_VERIFY"
},
"commentsAmount": 0,
"similarityId": "jquer_CVE-2016-10707_2"
}
]
Success Response:
Code: 200 OK
Error Response:
Code: 400 Bad Request
Notes:
Retrieves all vulnerabilities for the specified CxOSA scan Id. If the request fails, it returns an error response. Each vulnerability returned is unique to its library or file.
Get OSA Scan Vulnerability Comments by Id - GET /osa/vulnerabilities/{vulnerabilityId}/comments
Get existing comments for vulnerabilities according to Vulnerability Id and Project Id.
Usage:
GET /osa/scans and get basic scan details for all scans associated with a specified project Id
GET /osa/vulnerabilities and get all the vulnerabilities for the specified scan
GET /osa/vulnerabilities/{vulnerabilityId}/comments and get existing comments for vulnerabilities according to Vulnerability Id and Project Id
URL
http://localhost/cxrestapi/osa/vulnerabilities/{vulnerabilityId}/comments
Method:
GET
Media Type (header):
Authorization: Bearer <access token value>
Accept: application/json;v=1.0
Parameters
Required:
vulnerabilityId=[string] – Unique Id of the vulnerability
projectId=[long] – Unique Id of the project
Curl Sample:
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer <access token> 'http://localhost/cxrestapi/osa/vulnerabilities/9186D297D3EB9D3A0D036BC8557C625386FC6978/comments?projectId=1'
Sample Response:
{
"userName": "admin",
"timeStamp": 1572968407,
"content": "Need to verify vulnerability before remediation"
}Success Response:
Code: 200 OK
Error Response:
Code: 400 Bad Request
Code: 404 Not Found
Notes:
Retrieves comments for vulnerabilities according to the specified Vulnerability Id and Project Id. If the request fails, it returns an error response.
Get OSA Scan Summary Report - GET /osa/reports
Generate a new summary report (.json) for the specified OSA scan Id. The retrieval of OSA scan results is performed after creating an OSA scan. To create an OSA scan use POST /osa/scans.
Usage
POST /osa/scans and create a new scan request
GET /osa/reports and generate a summary report for the specified OSA scan
URL
http://localhost/cxrestapi/osa/reports
Method:
GET
Media Type (header):
Authorization: Bearer <access token value>
Accept: application/json;v=1.0
Parameters
Required:
scanId=[string] – Unique Id of the OSA scan
Curl Sample:
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer <access token> 'http://localhost/cxrestapi/osa/reports?scanId=014feb48-1f64-43a5-8b31-25999ed5ec12'
Sample Response:
{
"totalLibraries": 4,
"highVulnerabilityLibraries": 1,
"mediumVulnerabilityLibraries": 0,
"lowVulnerabilityLibraries": 0,
"nonVulnerableLibraries": 3,
"vulnerableAndUpdated": 0,
"vulnerableAndOutdated": 1,
"vulnerabilityScore": "High",
"totalHighVulnerabilities": 1,
"totalMediumVulnerabilities": 2,
"totalLowVulnerabilities": 0
}Success Response:
Code: 200
Error Response:
Code: 400 Bad Request
Notes:
Generates a new summary report for the specified CxOSA scan Id. If the request fails, it returns an error response. The report generation type is defined, by default as .json format. HTML and PDF formats have been removed and are no longer available.