Overview
This resource represents alerts. The Mend application uses alerts to notify users of security vulnerabilities, licensing and compatibility issues, or policy violations, in their open-source code. Alerts can apply in a whole organization, a specific product, or a specific project.
Alerts can have one of three statuses:
Active - Alerts that are in active state appear in the dashboards and s. This is the default status.
Ignored - Alerts marked as ignored will not appear in dashboards and s. You can reactivate ignored alerts, whereby they will revert to active state and be restored in the application and re-appear in dashboards and s.
Resolved - Alerts that are no longer relevant will have the resolved status.
This topic showcases the API requests and responses for:
getting all alerts for an organization, product or project
getting all alerts of a certain type for an organization, product or project
getting alerts by project tag (key & value) for an organization, product or project
getting ignored alerts for an organization, product or project
ignoring alerts for an organization, product or project
setting the of alerts for an organization, product or project
Alert Types
Alerts can be of the following types:
Alert Type | Description |
---|---|
NEW_MAJOR_VERSION | A new major version has been released for a library in the inventory. |
NEW_MINOR_VERSION | A new minor version has been released for a library in the inventory. |
SECURITY_VULNERABILITY | A security vulnerability was detected for a library in the inventory. |
REJECTED_BY_POLICY_RESOURCE | A library that violates a policy is being used. |
MULTIPLE_LIBRARY_VERSIONS | Multiple versions of the same library are being used. |
HIGH_SEVERITY_BUG | A High Severity bug was detected for a library. |
MULTIPLE_LICENSES | More than one license was identified for a library. |
REJECTED_DEFACTO_RESOURCE | A library is being used even though it was rejected. |
Vulnerability-Based Alerting
When Vulnerability-based Alerting is enabled (see Security Alerts: View By Vulnerability):
The alert UUID is unique per CVE and therefore different for all the vulnerabilities related to the same library.
A new parameter sourceFiles is added to the API response when there is a relationship between a CVE and a source file.
Some additional fields are included in the responses for all scopes: Modified Date, Alert and Comment. These fields are not included when Library-based Alerting mode is enabled.
Security Vulnerability Object
Security alerts contain the Vulnerability object:
"vulnerability": { "name": "vulnerability_name", "type": "vulnerability_type", "severity": "vulnerability_severity", "score": cvss_2_vulnerability_score, "cvss3_severity": "cvss_3_score_severity", "cvss3_score": cvss_3_vulnerability_score, "publishDate": "vulnerability_publish_date" "scoreMetadataVector": "cvss_3_metadata_vector", "url": "URL_of_vulnerability" "description": "vulnerability_description", "topFix": { "vulnerability": "vulnerability_fix_name", "type": "vulnerability_fix_type", "origin": "origin_of_fix", "url": "URL_of_fix", "fixResolution": "fix_resolution", "date": "date_of_fix", "message": "summary_of_fix", "extraData": "additional_data_on_fix" }, "allFixes": [{ "vulnerability": "vulnerability_fix_name", "type": "vulnerability_fix_type", "origin": "origin_of_fix", "url": "URL_of_fix", "fixResolution": "fix_resolution", "date": "date_of_fix", "message": "details_on_fix", "extraData": "additional_data" }] }
topFix & allFixes objects:
These objects are displayed only when a fix is available for the specific vulnerability.
The Vulnerability object has the following parameters:
Parameter | Value |
---|---|
name | ID in the vulnerability DB (CVE or WS) |
type | CVE or WS |
severity | Severity of the CVSS 2 vulnerability (low, medium, high) |
score | CVSS 2 base score [0.0 - 10.0] |
cvss3_severity | CVSS 3 score severity:
|
cvss3_score | CVSS 3 base score [0.0 - 10.0] |
scoreMetadataVector | See specification link |
publishDate | Original release date |
url | URL of the CVE |
description | Short description of the security vulnerability |
topFix | Top recommended fix (when available) |
allFixes | List of all fixes (when available) |
fixResolutionText | The actual resolution text to display for the given fix |
Vulnerability-Based Security Alerts ing
For details of the API requests for generating s of all security alerts detailed by vulnerability (in the scope of organization, product, or project), see https://whitesource.atlassian.net/wiki/spaces/WD/pages/1730543766/Reports+API#Get-Security-Alerts-by-Vulnerability-Report.
For details on the API requests for generating s of all vulnerability-based alerts that are associated with a specific library (in the scope of organization, product, or project), see https://whitesource.atlassian.net/wiki/spaces/WD/pages/1730543766/Reports+API#Get-Security-Alerts-by-Library-Report.
Get Alerts
Organization
Get all alerts for a specific organization.
QUERY PARAMETERS
Parameter | Description | Type | Required |
---|---|---|---|
requestType | API request type that returns all the alerts in an organization. | string | Yes |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes |
orgToken | API key which is a unique identifier of the organization. | string | Yes |
Request Example
{ "requestType" : "getOrganizationAlerts", "userKey": "user_key", "orgToken" : "organization_api_key" } |
Response Example
The response is a JSON collection of all the alerts in the organization with their details. For example:
{ "alerts": [ { "type": "REJECTED_BY_POLICY_RESOURCE", "level": "MAJOR", "library": { "keyUuid": "3c0f701b-1315-43ed-b94b-a14447f46a4a", "keyId": 36637701, "filename": "ini-1.3.5.tgz", "type": "javascript/Node.js", "languages": "javascript/Node.js", "description": "An ini encoder/decoder for node", "references": { "url": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz", "homePage": "https://github.com/isaacs/ini#readme", "genericPackageIndex": "https://www.npmjs.org/package/ini" }, "sha1": "eee25f56db1c9ec6085e0c22778083f596abf927", "name": "ini", "artifactId": "ini-1.3.5.tgz", "version": "1.3.5", "groupId": "ini", "licenses": [ { "name": "ISC", "spdxName": "ISC", "url": "http://www.opensource.org/licenses/ISC", "profileInfo": { "copyrightRiskScore": "THREE", "patentRiskScore": "THREE", "copyleft": "NO", "linking": "NON_VIRAL", "royaltyFree": "NO" }, ...........
Product
Get all alerts for a specific product.
QUERY PARAMETERS
Parameter | Description | Type | Required |
---|---|---|---|
requestType | API request type that returns all the alerts for a product. | string | Yes |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes |
productToken | Unique identifier of the product. | string | Yes |
Request Example
{ "requestType" : "getProductAlerts", "userKey": "user_key", "productToken" : "product_token" } |
Response Example
The response is a JSON collection of all the alerts in the product with their details. For example:
{ "alerts": [ { "type": "REJECTED_BY_POLICY_RESOURCE", "level": "MAJOR", "library": { "keyUuid": "c147bc0a-41f9-4867-b056-b4fc8a7dbac4", "keyId": 66142625, "filename": "Pillow-5.2.0.tar.gz", "type": "Python", "languages": "Python", "description": "Python Imaging Library (Fork)", "references": { "url": "https://files.pythonhosted.org/packages/d3/c4/b45b9c0d549f482dd072055e2d3ced88f3b977f7b87c7a990228b20e7da1/Pillow-5.2.0.tar.gz", "homePage": "https://python-pillow.org", "genericPackageIndex": "https://pypi.python.org/pypi/Pillow/5.2.0" }, "sha1": "7d0f97e23425418f2e4c9ee51fc3bcb9ee71ec60", "name": "Pillow", "artifactId": "Pillow-5.2.0.tar.gz", "version": "5.2.0", "groupId": "Pillow", "licenses": [ { "name": "PIL Software License", "url": "http://www.pythonware.com/products/pil/license.htm", "references": [ { "referenceType": "Project home page", "reference": "https://github.com/python-pillow/Pillow/blob/master/LICENSE" } ] } ] ...........
Project
Get all alerts for a specific project.
QUERY PARAMETERS
Parameter | Description | Type | Required |
---|---|---|---|
requestType | API request type that returns all the alerts for a project. | string | Yes |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes |
projectToken | Unique identifier of the project. | string | Yes |
Request Example
{ "requestType" : "getProjectAlerts", "userKey": "user_key", "projectToken" : "project_token" } |
Response Example
The response is a JSON collection of all the alerts in the project with their details. For example:
{ "alerts": [ { "type": "REJECTED_BY_POLICY_RESOURCE", "level": "MAJOR", "library": { "keyUuid": "5f612fe4-4735-4334-bba2-f68da42714c5", "keyId": 86429547, "filename": "lodash-4.17.15.tgz", "type": "javascript/Node.js", "languages": "javascript/Node.js", "description": "Lodash modular utilities.", "references": { "url": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz", "homePage": "https://lodash.com/", "genericPackageIndex": "https://www.npmjs.org/package/lodash" }, "sha1": "b447f6670a0455bbfeedd11392eff330ea097548", "name": "lodash", "artifactId": "lodash-4.17.15.tgz", "version": "4.17.15", "groupId": "lodash", "licenses": [ { "name": "MIT", "spdxName": "MIT", "url": "http://www.opensource.org/licenses/MIT", "profileInfo": { "copyrightRiskScore": "THREE", "patentRiskScore": "ONE", "copyleft": "NO", "royaltyFree": "YES" }, { "referenceType": "NPM (details available in Node Package Manager)", "reference": "https://github.com/lodash/lodash/blob/4.17.15/package.json" } ] } ] "type": "SECURITY_VULNERABILITY", "level": "MAJOR", "library": { "keyUuid": "811031a9-bfee-44c0-bd1f-1aec280d4bed", "keyId": 100088875, "filename": "axios-0.19.2.tgz", "type": "javascript/Node.js", "languages": "javascript/Node.js", "description": "Promise based HTTP client for the browser and node.js", "references": { "url": "https://registry.npmjs.org/axios/-/axios-0.19.2.tgz", "homePage": "https://github.com/axios/axios", "genericPackageIndex": "https://www.npmjs.org/package/axios" ] } ] }, ...........
Get Alerts by Project Tag
Project tags are key value pairs that provide additional metadata for projects, enabling users to label and search for their products or projects according to predefined categories (such as, development, production).
This API request allows you to get alerts in your project that have a specific tag or label.
Important Notes about this API
When Vulnerability-based Alerting is enabled (see Security Alerts: View By Vulnerability):
The alert UUID is unique per CVE and therefore different for all the vulnerabilities related to the same library.
A new parameter sourceFiles is added to the API response when there is a relationship between a CVE and a source file.
Some additional fields are included in the responses for all scopes: Modified Date, Alert and Comment. These fields are not included when Library-based Alerting mode is enabled.
QUERY PARAMETERS
Parameter | Description | Type | Required |
---|---|---|---|
requestType | API request type that returns all alerts in the organization that have a specific project tag. | string | Yes |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes |
orgToken | API key which is a unique identifier of the organization. | string | Yes |
tagKey | Label that describes the tag. | string | Yes |
tagValue | Value assigned to the tag. | string | Yes |
Request Example
{ "requestType": "getAlertsByProjectTag", "orgToken": "organization_api_key", "userKey": "user_key", "tagKey": "status", "tagValue": "production" }
Response Example
The response is a JSON collection of all the alerts in the organization with the specified project tag. For example:
{ "apiAlertInfo": [ { "vulnerability": { "name": "CVE-2020-10673", "type": "CVE", "severity": "medium", "score": 6.8, "cvss3_severity": "high", "cvss3_score": 8.8, "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "publishDate": "2020-03-18", "url": "https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-10673", "description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).", "topFix": { "vulnerability": "CVE-2020-10673", "type": "UPGRADE_VERSION", "origin": "WHITESOURCE_EXPERT", "url": "https://github.com/FasterXML/jackson-databind/issues/2660", "fixResolution": "com.fasterxml.jackson.core:jackson-databind:2.9.10.4", "date": "2020-03-18", "message": "Upgrade to version" }, "allFixes": [ { "vulnerability": "CVE-2020-10673", "type": "UPGRADE_VERSION", "origin": "WHITESOURCE_EXPERT", "url": "https://github.com/FasterXML/jackson-databind/issues/2660", "fixResolution": "com.fasterxml.jackson.core:jackson-databind:2.9.10.4", "date": "2020-03-18", "message": "Upgrade to version" }, ] ........
Get Ignored Alerts
Get a list of ignored alerts per scope (organization, product, or project).
Important Notes about this API
When Vulnerability-based Alerting is enabled (see Security Alerts: View By Vulnerability):
The alert UUID is unique per CVE and therefore different for all the vulnerabilities related to the same library.
A new parameter sourceFiles is added to the API response when there is a relationship between a CVE and a source file.
Some additional fields are included in the responses for all scopes: Modified Date, Alert and Comment. These fields are not included when Library-based Alerting mode is enabled.
Organization
Get all ignored alerts for a specific organization.
QUERY PARAMETERS
Parameter | Description | Type | Required |
---|---|---|---|
requestType | API request type that returns all the ignored alerts in an organization. | string | Yes |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes |
orgToken | API key which is a unique identifier of the organization. | string | Yes |
Request Example
{ "requestType" : "getOrganizationIgnoredAlerts", "userKey":"user_key", "orgToken":"organization_api_key" }
Response Example
The response is a JSON collection of the ignored alerts in the organization with their details. For example:
{ "alerts": [ { "vulnerability": { "name": "WS-2019-0379", "type": "WS", "severity": "medium", "score": 6.5, "cvss3_severity": "medium", "cvss3_score": 6.5, "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "publishDate": "2019-05-20", "url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113", "description": "Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.", "topFix": { "vulnerability": "WS-2019-0379", "type": "UPGRADE_VERSION", "origin": "WHITESOURCE_EXPERT", "url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113", "fixResolution": "1.13-RC1", "date": "2019-05-12", "message": "Upgrade to version" }, "allFixes": [], "fixResolutionText": "Upgrade to version 1.13-RC1", "references": [] }, ...........
Product
Get all ignored alerts for a specific product.
QUERY PARAMETERS
Parameter | Description | Type | Required |
---|---|---|---|
requestType | API request type that returns all the ignored alerts for a product. | string | Yes |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes |
productToken | Unique identifier of the product. | string | Yes |
Request Example
{ "requestType" : "getProductIgnoredAlerts", "userKey": "user_key", "productToken" : "product_token" } |
Response Example
The response is a JSON collection of the ignored alerts in the product with their details. For example:
{ "alerts": [ { "vulnerability": { "name": "CVE-2018-10237", "type": "CVE", "severity": "medium", "score": 4.3, "cvss3_severity": "medium", "cvss3_score": 5.9, "scoreMetadataVector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "publishDate": "2018-04-26", "url": "https://vuln.whitesourcesoftware.com/vulnerability/CVE-2018-10237", "description": "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.", "topFix": { "vulnerability": "CVE-2018-10237", "type": "UPGRADE_VERSION", "origin": "WHITESOURCE_EXPERT", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237", "fixResolution": "24.1.1-jre, 24.1.1-android", "date": "2018-04-26", "message": "Upgrade to version" }, "allFixes": [ { "vulnerability": "CVE-2018-10237", "type": "UPGRADE_VERSION", "origin": "WHITESOURCE_EXPERT", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237", "fixResolution": "24.1.1-jre, 24.1.1-android", "date": "2018-04-26", "message": "Upgrade to version" }, { "vulnerability": "CVE-2018-10237", "type": "UPGRADE_VERSION", "origin": "SECURITY_TRACKER", "url": "http://www.securitytracker.com/id/1041707", "fixResolution": "Red Hat has issued a fix.\n\nThe Red Hat advisory is available at:\n\nhttps://access.redhat.com/errata/RHSA-2018:2740\nhttps://access.redhat.com/errata/RHSA-2018:2741\nhttps://access.redhat.com/errata/RHSA-2018:2742\nhttps://access.redhat.com/errata/RHSA-2018:2743", "message": "Red Hat JBoss EAP Component Errors Let Remote Users Deny Service and Remote Authenticated Users Gain Potentially Sensitive Information", "extraData": "key=1041707" }, ...........
Project
Get all ignored alerts for a specific project.
QUERY PARAMETERS
Parameter | Description | Type | Required |
---|---|---|---|
requestType | API request type that returns all the ignored alerts for a project. | string | Yes |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes |
projectToken | Unique identifier of the project. | string | Yes |
Request Example
{ "requestType" : "getProjectIgnoredAlerts", "userKey": "user_key", "projectToken" : "project_token" } |
Response Example
The response is a JSON collection of the ignored alerts in the project with their details. For example:
{ "alerts": [ { "vulnerability": { "name": "WS-2019-0379", "type": "WS", "severity": "medium", "score": 6.5, "cvss3_severity": "medium", "cvss3_score": 6.5, "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "publishDate": "2019-05-20", "url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113", "description": "Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.", "topFix": { "vulnerability": "WS-2019-0379", "type": "UPGRADE_VERSION", "origin": "WHITESOURCE_EXPERT", "url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113", "fixResolution": "1.13-RC1", "date": "2019-05-12", "message": "Upgrade to version" }, "allFixes": [], "fixResolutionText": "Upgrade to version 1.13-RC1", "references": [] }, "type": "SECURITY_VULNERABILITY", "level": "MAJOR", "library": { "keyUuid": "83cf3655-de66-411b-ba19-fdf2d3cc2067", "keyId": 111269430, "filename": "commons-codec-1.9.jar", "type": "Java", "description": "The Apache Commons Codec package contains simple encoder and decoders for\n various formats such as Base64 and Hexadecimal. In addition to these\n widely used encoders and decoders, the codec package also maintains a\n collection of phonetic encoding utilities.", "references": { "pomUrl": "https://repo.maven.apache.org/maven2/commons-codec/commons-codec/1.9/commons-codec-1.9.pom" }, ...........
Get Alerts by Type
Get all alerts of a certain type for a given organization, a specific product, or specific project, according to your role permissions.
Important Notes about this API
When Vulnerability-based Alerting is enabled (see Security Alerts: View By Vulnerability):
The alert UUID is unique per CVE and therefore different for all the vulnerabilities related to the same library.
A new parameter sourceFiles is added to the API response when there is a relationship between a CVE and a source file.
Some additional fields are included in the responses for all scopes: Modified Date, Alert and Comment. These fields are not included when Library-based Alerting mode is enabled.
Organization
Get alerts of a certain type for a given organization.
QUERY PARAMETERS
Parameter | Description | Type | Required | Default/Values |
---|---|---|---|---|
requestType | API request type that returns all the alerts in an organization according to the specified alert type. | string | Yes | |
orgToken | API key which is a unique identifier of the organization. | string | Yes | |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes | |
alertType | The type of alerts. A detailed description of the permitted alert types is provided in Alert Types above. | string | Yes | Permitted alert type values:
|
fromDate | The first date in the time period during which the alerts were created or modified. When fromDate is not specified, the beginning of time will be assumed. | string | No | Time is GMT. Format is: |
toDate | The last date in the time period during which the alerts were created or modified. When toDate is not specified, the current date and time will be assumed. | string | No | Time is GMT. Format is: |
Request Example
{ "requestType": "getOrganizationAlertsByType", "userKey": "user_key", "alertType": "alert_type", "orgToken": "organization_api_key", "fromDate": "2020-09-01" }
Response Example
A JSON collection listing the alerts of the specified type that were generated in the specified scope (organization, product, or project) and within the specified date range:
{ "alerts": [ { "vulnerability": { "name": "CVE-2020-28168", "type": "CVE", "severity": "medium", "score": 4.3, "cvss3_severity": "medium", "cvss3_score": 5.9, "scoreMetadataVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "publishDate": "2020-11-06", "url": "https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-28168", "description": "Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.", "allFixes": [], "references": [] }, "type": "SECURITY_VULNERABILITY", "level": "MAJOR", "library": { "keyUuid": "811031a9-bfee-44c0-bd1f-1aec280d4bed", "keyId": 100088875, "filename": "axios-0.19.2.tgz", "type": "javascript/Node.js", "languages": "javascript/Node.js", "description": "Promise based HTTP client for the browser and node.js", "references": { "url": "https://registry.npmjs.org/axios/-/axios-0.19.2.tgz", "homePage": "https://github.com/axios/axios", "genericPackageIndex": "https://www.npmjs.org/package/axios" }, "sha1": "3ea36c5d8818d0d5f8a8a97a6d36b86cdc00cb27", "name": "axios", "artifactId": "axios-0.19.2.tgz", "version": "0.19.2", "groupId": "axios", "licenses": [ { "name": "MIT", "spdxName": "MIT", "url": "http://www.opensource.org/licenses/MIT", "profileInfo": { "copyrightRiskScore": "THREE", "patentRiskScore": "ONE", "copyleft": "NO", "royaltyFree": "YES" },
Product
Get alerts of a certain type for a given product.
QUERY PARAMETERS
Parameter | Description | Type | Required | Default/Values |
---|---|---|---|---|
requestType | API request type that returns all the alerts generated for a product according to the specified alert type. | string | Yes | |
productToken | Unique identifier of the product. | string | Yes | |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes | |
alertType | The type of alert. For a detailed description, see Alert Types. | string | Yes | Permitted alert type values:
|
fromDate | The first date in the time period during which the alerts were created or modified. When fromDate is not specified, the beginning of time will be assumed. | string | No | Time is GMT. Format is: |
toDate | The last date in the time period during which the alerts were created or modified. When toDate is not specified, the current date and time will be assumed. | string | No | Time is GMT. Format is: |
Request Example
{ "requestType": "getProductAlertsByType", "userKey": "user_key", "alertType": "SECURITY_VULNERABILITY", //just an example "productToken": "product_token", "fromDate": "2010-09-01", "toDate": "2021-12-31" }
Response Example
{ "alerts": [ { "vulnerability": { "name": "CVE-2010-2076", "type": "CVE", "severity": "high", "score": 7.5, "publishDate": "2010-08-19", "url": "https://vuln.whitesourcesoftware.com/vulnerability/CVE-2010-2076", "description": "Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632.", "topFix": { "vulnerability": "CVE-2010-2076", "type": "UPGRADE_VERSION", "origin": "WHITESOURCE_EXPERT", "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2076", "fixResolution": "2.0.13,2.1.10,2.2.9", "date": "2010-08-19", "message": "Upgrade to version", "extraData":"{\"packageLevelFix\":[{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-rt-bindings-soap\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.1, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9)\",\"affectedRange\":\"\>\=2.1 \<2.1.10\",\"minFixVersion\":\"2.1.10\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-common-utilities\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9)\",\"affectedRange\":\"\>\=2.1.1 \<2.1.10\",\"minFixVersion\":\"2.1.10\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-common-utilities\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12)\",\"affectedRange\":\"\>\=2.0.6 \<2.0.13\",\"minFixVersion\":\"2.0.13\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-rt-bindings-soap\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.6-fuse-01-01, 2.2.7, 2.2.8)\",\"affectedRange\":\"\>\=2.2 \<2.2.9\",\"minFixVersion\":\"2.2.9\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-common-utilities\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.6-fuse-01-01, 2.2.7, 2.2.8)\",\"affectedRange\":\"\>\=2.2.1 \<2.2.9\",\"minFixVersion\":\"2.2.9\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-rt-bindings-soap\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12)\",\"affectedRange\":\"\>\=2.0.6 \<2.0.13\",\"minFixVersion\":\"2.0.13\"}]}" }, "allFixes": [ { "vulnerability": "CVE-2010-2076", "type": "UPGRADE_VERSION", "origin": "WHITESOURCE_EXPERT", "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2076", "fixResolution": "2.0.13,2.1.10,2.2.9", "date": "2010-08-19", "message": "Upgrade to version", "extraData":"{\"packageLevelFix\":[{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-rt-bindings-soap\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.1, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9)\",\"affectedRange\":\"\>\=2.1 \<2.1.10\",\"minFixVersion\":\"2.1.10\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-common-utilities\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9)\",\"affectedRange\":\"\>\=2.1.1 \<2.1.10\",\"minFixVersion\":\"2.1.10\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-common-utilities\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12)\",\"affectedRange\":\"\>\=2.0.6 \<2.0.13\",\"minFixVersion\":\"2.0.13\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-rt-bindings-soap\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.6-fuse-01-01, 2.2.7, 2.2.8)\",\"affectedRange\":\"\>\=2.2 \<2.2.9\",\"minFixVersion\":\"2.2.9\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-common-utilities\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.6-fuse-01-01, 2.2.7, 2.2.8)\",\"affectedRange\":\"\>\=2.2.1 \<2.2.9\",\"minFixVersion\":\"2.2.9\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-rt-bindings-soap\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12)\",\"affectedRange\":\"\>\=2.0.6 \<2.0.13\",\"minFixVersion\":\"2.0.13\"}]}" } ], "fixResolutionText": "Upgrade to version 2.0.13,2.1.10,2.2.9", "references": [] }, "type": "SECURITY_VULNERABILITY", "level": "MAJOR", "library": { "keyUuid": "c0a07bfe-dd9a-4caa-84f8-d99404b13496", "keyId": 332377, "filename": "cxf-common-utilities-2.2.7.jar", "type": "Java", "resolvedType": "Java", "references": { "url": "http://cxf.apache.org", "issueUrl": "https://issues.apache.org/jira/browse/CXF", "pomUrl": "https://repo.maven.apache.org/maven2/org/apache/cxf/cxf-common-utilities/2.2.7/cxf-common-utilities-2.2.7.pom" }, "sha1": "b378945db083d216a2aff1956c1c3ae968a2adf0", "name": "Apache CXF Common Utilities", "artifactId": "cxf-common-utilities", "version": "2.2.7", "groupId": "org.apache.cxf" }, "project": "Demo Data", "projectId": 1559006, "projectToken": "5715a92ea3d345d29512481363d8f9751b87c8fb50c44c46a44e81e90e7407e6", "directDependency": true, "description": "High:1", "date": "2021-09-05", "modifiedDate": "2021-09-05", "status": "OPEN", "time": 1630800000000, "alertUuid": "93de3f9b-fc34-4cab-9e58-916a368fa546" } ] }
Project
Get alerts of a certain type for a given project.
QUERY PARAMETERS
Parameter | Description | Type | Required | Default/Values |
---|---|---|---|---|
requestType | API request type that returns all the alerts generated for a project according to the specified alert type. | string | Yes | |
projectToken | Unique identifier of the project. | string | Yes | |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes | |
alertType | The type of alert. For a detailed description, see Alert Types. | string | Yes | Permitted alert type values:
|
fromDate | The first date in the time period during which the alerts were created or modified. When fromDate is not specified, the beginning of time will be assumed. | string | No | Time is GMT. Format is: |
toDate | The last date in the time period during which the alerts were created or modified. When toDate is not specified, the current date and time will be assumed. | string | No | Time is GMT. Format is: |
Request Example
{ "requestType": "getProjectAlertsByType", "userKey": "user_key", "alertType": "alert_type", "projectToken": "project_token", "fromDate": "2020-09-01", "toDate": "2020-12-31" }
See Response Example for an example of a JSON response to the specified details in the above request example.
Ignore Alerts
By default, alerts are in an active state and will appear in dashboards. If they are no longer relevant, you can change their status to ignored and they will no longer be displayed.
This API request enables users with the Org Admin role permissions to ignore alerts according to their unique identifier. You can use any alert-related API to get the unique identifier (alertUuid) of a particular alert.
Organization
Change alerts status from active to ignored for an organization.
QUERY PARAMETERS
Parameter | Description | Type | Required |
---|---|---|---|
requestType | API request type that ignores alerts in an organization. | string | Yes |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes |
orgToken | API key which is a unique identifier of the organization. | string | Yes |
alertUuids | Unique IDs of the alerts to be ignored. NOTE: The alert UUID is unique per CVE and therefore different for all the vulnerabilities related to the same library. | array | Yes |
comments | Text comment describing why the alerts should be ignored. | string | Yes |
Request Example
{ "requestType":"ignoreAlerts", "orgToken": "organization_api_key", "userKey": "user_key", "alertUuids": ["22f72c74-c2ea-4ed9-b37f-75d77bc52045","174a332b-7470-436b-82fe-c6e4644362e0"], "comments": "alerts not relevant to service" }
Response Example
{ "message": "Successfully ignored alerts" }
Product
Change alerts status from active to ignored for a product.
QUERY PARAMETERS
Parameter | Description | Type | Required |
---|---|---|---|
requestType | API request type that ignores alerts in a product. | string | Yes |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes |
productToken | Unique identifier of the product. | string | Yes |
alertUuids | Unique IDs of the alerts to be ignored. NOTE: The alert UUID is unique per CVE and therefore different for all the vulnerabilities related to the same library. | array | Yes |
comments | Text comment describing why the alerts should be ignored. | string | Yes |
Request Example
{ "requestType":"ignoreAlerts", "productToken": "product_key", "userKey": "user_key", "alertUuids": ["22f72c74-c2ea-4ed9-b37f-75d77bc52045","174a332b-7470-436b-82fe-c6e4644362e0"], "comments": "alerts not relevant to service" }
Response Example
{ "message": "Successfully ignored alerts" }
Project
Change alerts status from active to ignored for a project.
QUERY PARAMETERS
Parameter | Description | Type | Required |
---|---|---|---|
requestType | API request type that ignores alerts in a project. | string | Yes |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes |
projectToken | Unique identifier of the project. | string | Yes |
alertUuids | Unique IDs of the alerts to be ignored. NOTE: The alert UUID is unique per CVE and therefore different for all the vulnerabilities related to the same library. | array | Yes |
comments | Text comment describing why the alerts should be ignored. | string | Yes |
Request Example
{ "requestType":"ignoreAlerts", "projectToken": "project_key", "userKey": "user_key", "alertUuids": ["22f72c74-c2ea-4ed9-b37f-75d77bc52045","174a332b-7470-436b-82fe-c6e4644362e0"], "comments": "alerts not relevant to service" }
Response Example
{ "message": "Successfully ignored alerts" }
Set Alerts Status for an Organization
Alerts can be in Active or Ignored status.
This API request enables users with the Org Admin role to set the status of alert(s) according to their unique identifier.
NOTE: This API can also be used to change the alert's comments.
QUERY PARAMETERS
Parameter | Description | Type | Required |
---|---|---|---|
requestType | API request type that sets the alerts status in an organization. | string | Yes |
userKey | The ID of the user’s profile, which uniquely identifies the user in Mend. | string | Yes |
orgToken | API key which is a unique identifier of the organization. | string | Yes |
alertUuids | Unique IDs of the alerts for which you want to change their status. NOTE: The alert UUID is unique per CVE and therefore different for all the vulnerabilities related to the same library. | array | Yes |
comments | Free text comment describing why the alerts should be changed. | string | No |
status | Current status of the alert(s): Active or Ignored. | string | Yes |
Request Example
Change alerts status from active to ignored for an organization.
{ "requestType":"setAlertsStatus", "orgToken":"organization_api_key", "userKey": "user_key", "alertUuids": ["alert1_UUID", "alert2_UUID"], "comments": "Enter your comment here", "status": "Active" } |
Response Example
{ "message": "Successfully set the alert's status" } |