Processes a query for analysis Request Parameters ExpandType: vuln (Expand) Vuln Type
{
"type" : "vuln",
"query" : {
(valid query object)
},
"sortDir" : <string> "ASC" | "DESC" OPTIONAL
"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool. [Some restrictions apply.] Must accompany sortDir),
"sourceType" : <string> "individual" | "cumulative" | "patched",
"wasVuln" : <string> "onlyWas" | "excludeWas" | "includeWas" OPTIONAL (This field is used to query only WAS vulns, exclude WAS vulns, or include WAS vulns with regular VM data respectively. The default behavior is to include WAS vulns with regular VM data.)
"startOffset" : <number>,
"endOffset" : <number>,
}
When the sourceType is "individual", a scanID must be provided in the root of the request object:
{
"type" : "vuln",
"query" : {
(valid query object)
},
"sortDir" : <string> "ASC" | "DESC" OPTIONAL
"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool. [Some restrictions apply.] Must accompany sortDir),
"sourceType" : "individual",
"startOffset" : <number>,
"endOffset" : <number>,
"scanID" : <number>,
"view" : "all" | "new" | "patched"
}
Type: event (Expand) Event Type
{
"type" : "event",
"query" : {
(valid query object)
},
"sortDir" : <string> "ASC" | "DESC" OPTIONAL
"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool. [Some restrictions apply.] Must accompany sortDir),
"sourceType" : <string> "lce" | "archive"
}
When the sourceType is "archive", lceID and view must be provided in the root of the request object:
{
"type" : "event",
"query" : {
(valid query object)
},
"sortDir" : <string> "ASC" | "DESC" OPTIONAL
"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool. [Some restrictions apply.] Must accompany sortDir),
"sourceType" : "archive",
"lceID" : <number>,
"view" : <string> (silo id)
}
Type: user (Expand) User Type
{
"type" : "user",
"query" : {
(valid query object)
}
}
Type: scLog (Expand) SCLog Type (deprecated in 5.19.0)
scLog has a unique query object with its own special filters.
{
"type" : "scLog",
"date" : scLog basename (eg. "201412") | "all",
"query": {
"startOffset" : <number>,
"endOffset" : <number>,
"filters" : [
{
"filterName" : "keywords",
"operator" : "=",
"value" : <string>
},
{
"filterName" : "severity",
"value" : {
"id" : <number> [0-2],
"operator" : "=",
"name":"INFO|WARNING|CRITICAL"
}
},
{
"filtername" : "initiator",
"operator" : "=",
"value" : {
"id" : <number>,
"username" : <string>
}
},
{
"filterName" : "module",
"operator" : "=",
"value" : <string> (eg. "auth")
},
{
"filterName" : "organization",
"value" : {
"id" : <number>
}
}
]
}
}
Type: mobile (Expand) Mobile Type
{
"type" : "mobile",
"query" : {
(valid query object)
},
"sourceType" : "mobile",
"sortDir" : <string> "ASC" | "DESC" OPTIONAL,
"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool. [Some restrictions apply.] Must accompany sortDir),
"startOffset" : <number>,
"endOffset" : <number>
}
Example Universal Repository ResponseNOTE: Beginning in SC 6.7.0 responses for all repository types will behave as Universal repositories. This means the hostUniqueness and vulnUniqueness will be as seen in this example.Click here to expand... {
"type": "regular",
"response": {
"totalRecords": "1",
"returnedRecords": 1,
"startOffset": "0",
"endOffset": "50",
"matchingDataElementCount": "-1",
"results": [
{
"pluginID": "98120",
"severity": {
"id": "4",
"name": "Critical",
"description": "Critical Severity"
},
"hasBeenMitigated": "0",
"acceptRisk": "0",
"recastRisk": "0",
"ip": "127.0.0.1,
"uuid": "",
"port": "0",
"protocol": "TCP",
"pluginName": "Code Injection",
"firstSeen": "1744728630",
"lastSeen": "1751396645",
"exploitAvailable": "No",
"exploitEase": "",
"exploitFrameworks": "",
"synopsis": "Code Injection",
"description": "A modern web application will be reliant on several different programming languages.\n\nThese languages can be broken up in two flavours. These are client-side languages (such as those that run in the browser -- like JavaScript) and server-side languages (which are executed by the server -- like ASP, PHP, JSP, etc.) to form the dynamic pages (client-side code) that are then sent to the client.\n\nBecause all server-side code should be executed by the server, it should only ever come from a trusted source.\n\nCode injection occurs when the server takes untrusted code (ie. from the client) and executes it.\n\nCyber-criminals will abuse this weakness to execute arbitrary code on the server, which could result in complete server compromise.\n\nScanner was able to inject specific server-side code and have the executed output from the code contained within the server response. This indicates that proper input sanitisation is not occurring.",
"solution": "It is recommended that untrusted input is never processed as server-side code.\nTo validate input, the application should ensure that the supplied value contains only the data that are required to perform the relevant action.\nFor example, where a username is required, then no non-alpha characters should not be accepted.",
"seeAlso": "http:\/\/www.aspdev.org\/asp\/asp-eval-execute\/",
"riskFactor": "Critical",
"stigSeverity": "",
"vprScore": "",
"vprContext": "[]",
"baseScore": "10.0",
"temporalScore": "",
"cvssVector": "AV:N\/AC:L\/Au:N\/C:C\/I:C\/A:C",
"cvssV3BaseScore": "9.8",
"cvssV3TemporalScore": "",
"cvssV3Vector": "AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H",
"cvssV4BaseScore": "9.3",
"cvssV4Vector": "AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N",
"cvssV4ThreatScore": "",
"cvssV4ThreatVector": "",
"cvssV4Supplemental": "",
"cpe": "",
"vulnPubDate": "-1",
"patchPubDate": "-1",
"pluginPubDate": "1490976000",
"pluginModDate": "1653494400",
"checkType": "remote",
"version": "",
"cve": "",
"bid": "",
"xref": "CWE #94,CWE #78,HIPAA #164.306(a)(1),HIPAA #164.306(a)(2),ISO #27001-A.14.2.5,PCI_DSS #3.2-6.5.1,NIST #sp800_53-SI-10,OWASP #2021-A3,CAPEC #108,CAPEC #43,CAPEC #88,CAPEC #35,OWASP #2010-A1,OWASP #2013-A1,OWASP #2017-A1,OWASP_API #2019-API8,CAPEC #6,OWASP_ASVS #4.0.2-5.2.5,WASC #OS Commanding,CAPEC #242,CAPEC #77,DISA_STIG #APSC-DV-002510,CAPEC #15,OWASP_ASVS #4.0.2-5.3.8",
"seolDate": "-1",
"epssScore": "",
"pluginText": "<plugin_output>fake output<\/plugin_output>",
"dnsName": "http://google-gruyere.appspot.com ",
"macAddress": "",
"netbiosName": "",
"operatingSystem": "",
"ips": "127.0.0.1",
"recastRiskRuleComment": "N\/A",
"acceptRiskRuleComment": "N\/A",
"hostUniqueness": "repositoryID,hostUUID",
"hostUUID": "02ebb260-30ed-4bf8-9e2c-92a8614cda1a",
"acrScore": "8.0",
"keyDrivers": "{\"internet exposure\":\"external\",\"device capability\":\"\",\"device type\":\"\"}",
"assetExposureScore": "0",
"vulnUniqueness": "repositoryID,vulnUUID",
"vulnUUID": "3812373e-84d6-4d0d-b9ea-50823faa5fb5",
"cgiScanEnabled": "Disabled",
"thoroughScanEnabled": "Disabled",
"paranoidScanEnabled": "Not Paranoid",
"attachment": "",
"uniqueness": "repositoryID,hostUUID",
"family": {
"id": "2000002",
"name": "Code Execution",
"type": "was"
},
"repository": {
"id": "287",
"name": "tmp universal slow import (6.6.5)",
"description": "",
"dataFormat": "universal"
},
"pluginInfo": "98120 (0\/6) Code Injection"
}
]
},
"error_code": 0,
"error_msg": "",
"warnings": [],
"timestamp": 1765404982
} Example IPv4 Repository ResponseExpand
{
"type" : "regular",
"response" : {
"totalRecords" : "1",
"returnedRecords" : 1,
"startOffset" : "0",
"endOffset" : "50",
"matchingDataElementCount" : "-1",
"results":[
{
"pluginID" : "119500",
"severity" : {
"id" : "4",
"name" : "Critical",
"description" : "Critical Severity"
},
"vprScore" : "6.7",
"vprContext" : "[
{
"id" : "age_of_vuln",
"name" : "Vulnerability Age",
"value" : "60 - 180 days",
"type" : "string"
},
{
"id" : "cvssV3_impactScore",
"name" : "CvssV3 Impact Score",
"value" : 5.9,
"type" : "number"
},
{
"id" : "exploit_code_maturity",
"name" : "Exploit Code Maturity",
"value" : "Unproven",
"type" : "string"
},
{
"id" : "predicted_impactScore",
"name" : "Predicted Impact Score",
"value" : false,
"type" : "boolean"
},
{
"id" : "product_coverage",
"name" : "Product Coverage",
"value" : "Low",
"type" : "string"
},
{
"id" : "threat_intensity_last_28",
"name " : "Threat Intensity",
"value" : "Low",
"type" : "string"
},
{
"id" : "threat_recency",
"name" : "Threat Recency",
"value" : "7 to 30 days",
"type" : "string"
},
{
"id" : "threat_sources_last_28",
"name" : "Threat Sources",
"value" : "Security Research",
"type" : "string"
}
]",
"epssScore": "0.08",
"ip" : "172.26.48.75",
"uuid" : "",
"port" : "8080",
"protocol" : "TCP",
"name" : "Jenkins < 2.138.4 LTS \/ 2.150.1 LTS \/ 2.154 MultipleVulnerabilities",
"dnsName" : "",
"macAddress" : "00:50:56:be:27:da",
"netbiosName" : "TARGET\\WINDOW7X64",
"uniqueness" : "repositoryID,ip,dnsName",
"hostUniqueness" : "repositoryID,ip,dnsName",
"family" : {
"id" : "6",
"name" : "CGI abuses",
"type" : "active"
},
"repository" : {
"id" : "516",
"name" : "repo1",
"description" : "",
"dataFormat" : "IPv4"
},
"pluginInfo" : "119500 (8080\/6) Jenkins < 2.138.4 LTS \/ 2.150.1 LTS \/ 2.154 Multiple Vulnerabilities"
}
]
},
"error_code" : 0,
"error_msg" : "",
"warnings" : [],
"timestamp" : 1553525692
}
|