Add suspected vulnerabilities for an organization
Add suspected vulnerabilities for an organization, creating corresponding assets if needed. On success returns list of numeric IDs of the newly created suspected vulnerabilities
Authorizations
The access token received from the authorization server in the OAuth 2.0 flow.
Path Parameters
Unique identifier for the organization
Body
Request body containing the list of objects, describing the properties of suspected vulnerabilities to create
The name (also known as title) of the suspected vulnerability
Location of the suspected vulnerability, keeps information about where the it was discovered
{
"bareIpAddress": {
"summary": "Reference to a single IP address",
"value": "192.168.1.1"
},
"ipAddressWithTcpPort": {
"summary": "Reference to a single TCP port number",
"value": "tcp://192.168.1.1:22"
},
"ipAddressWithUdpPort": {
"summary": "Reference to a single UDP port number",
"value": "udp://192.168.1.1:53"
},
"ipAddressWithIcmpProto": {
"summary": "Reference to a single IP address, ICMP protocol",
"description": "Since the ICMP protocol doesn't have port abstraction, like TCP or UDP, the URI defines only protocl name and IP address of the host",
"value": "icmp://192.168.1.1"
},
"webUrl": {
"summary": "URL pointing to a specific resource inside a webapp",
"value": "https://example.com/path?query#segment"
}
}CVSS base score of the vulnerability, valid values are from 0 to 10 inclusively. See https://www.first.org/cvss/ for further details.
Version of CVSS base score, positive float number. See https://www.first.org/cvss/ for further details.
{
"v2": { "summary": "CVSS version 2", "value": 2 },
"v3.1": {
"summary": "CVSS version 3.1",
"value": 3.1
}
}Date and time when the suspected vulnerability was detected for the last time on the asset, in RFC 3339 format, with sub-second precision added if present.
Identifier of the source of the suspected vulnerability. Usually it points to a scanner name. It should contain only lowercase alphanumeric chars and hyphens. It should start with a letter.
{
"OpenVAS": {
"summary": "OpenVAS vulnerability scanner",
"value": "openvas"
},
"Burp Suite": {
"summary": "Burp Suite vulnerability scanner",
"value": "burp-suite"
},
"Tenable": {
"summary": "Tenable Vulnerability Management Service",
"value": "tenable"
},
"TenableWAS": {
"summary": "Tenable Vulnerability Management Service",
"value": "tenablewas"
},
"Qualys": {
"summary": "Qualys Vulnerability Management Tool",
"value": "qualys"
}
}Optional detailed description of the suspected vulnerability
Optional list of IDs of Common Vulnerabilities and Exposures (also known as CVE), in "CVE-YYYY-N" format. See https://www.cve.org/ for details
{
"cveID": {
"summary": "Log4shell vulnerability, affects Log4j versions 2.0-beta9 to 2.14.1. It allows remote code execution and information disclosure if exploited.",
"value": ["CVE-2021-44228"]
}
}Optional list of IDs of Common Weakness Enumeration (also known as CWE), in "CWE-N" format. See https://cwe.mitre.org/ for further details.
{
"cweID": {
"summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"value": ["CWE-79"]
}
}Optional category of the suspected vulnerability, as human readable string. Usually it is scanner dependent. For instance, in Tenable it is called family.
Optional date and time when the suspected vulnerability was detected for the first time on the asset, in RFC 3339 format, with sub-second precision added if present.
Optional description of actions that could be taken in order to remediate the vulnerability.
Optional confidence of the suspected vulnerability. Usually it is scanner specific. For example, it is called confidence in Burp Suite, Quality of Detection in OpenVAS. Tenable doesn't have any at all.
certain, firm, tentative Optional severity of the suspected vulnerability. Usually it is scanner specific. Sometimes it is calculated from CVSS Base Score.
critical, high, medium, low Optional unique identifier of the asset, where the suspected vulnerability was discovered. When set, must contain only lowercase hex digits. When not set, asset will be created based on location property.
Optional unique identifier of the assessment (also known as listing), that should be used to assign to when creating new assets. Used only when assetUid property is set. If set, must contain only lowercase alphanumeric characters.
Optional list of OWASP identifiers. These identifiers are standardized labels used to categorize security vulnerabilities according to the OWASP (Open Web Application Security Project) Top 10 framework - a globally recognized list of the most critical security risks to web applications. The identifiers follow a specific format - "A##:YYYY" where "A##" is position in the OWASP Top 10 list (e.g., A01, A02, A03); "YYYY" is year of the OWASP Top 10 publication (e.g., 2017, 2021, 2024)
{
"brokenAccessControl": {
"summary": "Broken Access Control",
"value": ["A01:2021"]
}
}A risk score value provided by the vendor of the imported vulnerability. This can differ from vendor to vendor. For example, Qualys QDS has a range from 1 to 100, Tenable VPR is 0.1 – 10.0.
If the HTTP request, used to discover the suspected vulnerability is known, it should be placed here as is, including all the request headers.
If the HTTP response, used to discover the suspected vulnerability is known, it should be placed here as is, including all the response headers.
Response
Response to a POST request, inserting new suspected vulnerabilities for the organization