swagger: "2.0" host: sast.whitesourcesoftware.com schemes: [https] info: description: WhiteSource Static Application Security Testing Solution Web API version: 22.3.2 title: WhiteSource SAST API contact: email: support@whitesourcesoftware.com securityDefinitions: Bearer: type: apiKey name: Authorization in: header ApiKeyAuth: type: apiKey in: header name: X-Auth-Token paths: /api/engines: get: tags: - SAST Engines description: Retrieves a list of available engines with supported programming languages names and engine IDs. Engine ID is used in scan configurations. produces: - application/json responses: 200: description: OK schema: type: array items: $ref: "#/definitions/Engine" 403: description: Unauthorized schema: $ref: "#/definitions/Error" /api/engines/{id}: get: tags: - SAST Engines description: Retrieves engine details corresponding to ID parameter. The response includes engine ID, supported language, a list of tracked variables and a list of vulnerability types (name, risk level). produces: - application/json parameters: - in: path name: id type: integer required: true responses: 200: description: OK schema: $ref: "#/definitions/Engine" 403: description: Unauthorized schema: $ref: "#/definitions/Error" 404: description: Unknown engine ID /api/scans: get: tags: - Scans description: Retrieves a list of scans produces: - application/json parameters: - in: query name: summary type: boolean description: Indicates if the full results of scans should be returned in the response - in: query name: limit type: integer description: Number of scans to be returned in the response - in: query name: page type: integer description: Page number, used in combination with limit - in: query name: query type: string description: Queries the scan names matching the parameter value - in: query name: sort type: string - in: query name: order type: string description: Order direction (ascend / descend). Descending by default - in: query name: filter type: string description: Filtering the scans by Status (accepting multiple status values separated by comma, e.g. Finished,Running,Failed responses: 200: description: OK schema: type: array items: $ref: "#/definitions/Scan" 403: description: Unauthorized schema: $ref: "#/definitions/Error" /api/scans/{id}: get: tags: - Scans description: Single scan corresponding to the id parameter. Single object contains a complete scan information such as scanning parameters and results (if present) produces: - application/json parameters: - in: path name: id type: string required: true - in: query name: summary type: boolean description: Indicates if the full result of a scan should be returned in the response required: false - in: query name: language type: string description: If used alone, shows the result for the single language required: false - in: query name: vulnerability type: string description: If used alone, shows the result for the single vulnerability ID required: false - in: query name: vulnerabilityType type: integer description: Used in combination with language query parameter to show the results for a single vulnerability type required: false responses: 200: description: OK schema: $ref: "#/definitions/Scan" 403: description: Unauthorized schema: $ref: "#/definitions/Error" 404: description: Unknown scan ID schema: $ref: "#/definitions/Error" post: tags: - Scans description: Changes the state of a vulnerability type / individual vulnerability (Risk / False Positive). Accepted actions are risk and falsepositive with values of High, Medium, Low or boolean true/false parameters: - in: path name: id type: string required: true - in: "body" name: "body" required: true schema: $ref: "#/definitions/Action" - in: query name: language type: string description: Used in combination with the vulnerabilityType query parameter required: false - in: query name: vulnerability type: string description: If used alone, to change the state for the single vulnerability ID required: false - in: query name: vulnerabilityType type: integer description: Used in combination with language query parameter to change the state for a single vulnerability type required: false responses: 200: description: OK 403: description: Unauthorized schema: $ref: "#/definitions/Error" 404: description: Unknown scan ID schema: $ref: "#/definitions/Error" delete: tags: - Scans parameters: - in: path name: id type: string required: true responses: 200: description: OK schema: $ref: "#/definitions/Success" 403: description: Unauthorized schema: $ref: "#/definitions/Error" 404: description: Unknown scan ID schema: $ref: "#/definitions/Error" /api/scans/{id}/issue: post: tags: - Scans description: Posts an issue ticket to one of the support issue tracking systems (accepted values for alm query parameter are jira, azure, redmine and github), for a single vulnerability ID produces: - application/json parameters: - in: path name: id type: string required: true - in: query name: vulnerability type: string required: true - in: query name: alm type: string required: true - in: "body" name: "body" required: true schema: $ref: "#/definitions/ALM" responses: 200: description: OK schema: $ref: "#/definitions/Success" 400: description: Bad request schema: $ref: "#/definitions/Error" 403: description: Unauthorized schema: $ref: "#/definitions/Error" 404: description: Unknown scan ID/vulnerability type/vulnerability id schema: $ref: "#/definitions/Error" 500: description: Internal server error schema: $ref: "#/definitions/Error" /api/scans/{id}/report: post: tags: - Scans description: Report export in five available formats - html, xml, json, csv, sarif and eight available types for HTML reports - DefenseCode Default, OWASP Top 10, NIST, SANS/CWE Top 25, PCI DSS, CAPEC, HIPAA, HITRUST parameters: - in: path name: id type: string required: true - in: query name: format type: string required: true - in: "body" name: "body" required: true schema: $ref: "#/definitions/ReportExport" responses: 200: description: OK schema: $ref: "#/definitions/Success" 400: description: Bad request schema: $ref: "#/definitions/Error" 403: description: Unauthorized schema: $ref: "#/definitions/Error" 404: description: Unknown scan ID schema: $ref: "#/definitions/Error" 500: description: Unable to generate a report schema: $ref: "#/definitions/Error" /api/scans/{id}/comment: post: tags: - Scans parameters: - in: "body" name: "body" required: true schema: $ref: "#/definitions/Comment" responses: '200': description: 'OK' /api/applications: get: tags: - Applications description: Retrieves a list of all applications produces: - application/json parameters: - in: query name: summary type: boolean description: Indicates (if set to true) if the full information of all applications should be returned in the response - in: query name: limit type: integer description: Number of applications to be returned in the response - in: query name: page type: integer description: Page number, used in combination with limit - in: query name: query type: string description: Queries the application names matching the parameter value responses: 200: description: OK schema: type: array items: $ref: "#/definitions/Application" post: tags: - Applications description: Creates a new application and returns an application ID produces: - application/json parameters: - in: "body" name: "body" required: true schema: $ref: "#/definitions/ApplicationCreate" responses: 201: description: Created schema: $ref: "#/definitions/AppCreateSuccess" 400: description: Bad request schema: $ref: "#/definitions/Error" /api/applications/{id}: get: tags: - Applications description: Retrieves the application corresponding to ID produces: - application/json parameters: - in: path name: id type: string required: true - in: query name: summary type: boolean description: Indicates if the full information of the application should be returned in the response responses: 200: description: OK schema: type: array items: $ref: "#/definitions/Application" put: tags: - Applications description: Updates an application corresponding to ID produces: - application/json parameters: - in: path name: id type: string required: true - in: "body" name: "body" required: true schema: $ref: "#/definitions/ApplicationCreate" responses: 200: description: Updated schema: $ref: "#/definitions/Success" 400: description: Bad request schema: $ref: "#/definitions/Error" delete: tags: - Applications description: Deletes an application corresponding to ID produces: - application/json parameters: - in: path name: id type: string required: true responses: 200: description: Updated schema: $ref: "#/definitions/Success" 404: description: Not Found schema: $ref: "#/definitions/Error" /api/applications/{id}/scans: get: tags: - Applications description: Retrieves a list of all application scans produces: - application/json parameters: - in: path name: id type: string required: true - in: query name: summary type: boolean description: Indicates if the full results of scans should be returned in the response - in: query name: limit type: integer description: Number of scans to be returned in the response - in: query name: page type: integer description: Page number, used in combination with limit - in: query name: query type: string description: Queries the scan names matching the parameter value - in: query name: sort type: string - in: query name: order type: string description: Order direction (ascend / descend). Descending by default - in: query name: filter type: string description: Filtering the scans by Status (accepting multiple status values separated by comma, e.g. Finished,Running,Failed responses: 200: description: OK schema: type: array items: $ref: "#/definitions/Scan" /api/login: post: tags: - Users description: User authentication endpoint parameters: - in: "body" name: "body" required: true schema: $ref: "#/definitions/UserAuth" responses: 200: description: OK schema: $ref: "#/definitions/UserAuthResponse" 400: description: Bad request schema: $ref: "#/definitions/Error" 403: description: Authentication failed schema: $ref: "#/definitions/Error" /api/users: get: tags: - Users description: Get a list of users produces: - application/json responses: 200: description: OK schema: type: array items: $ref: "#/definitions/User" post: tags: - Users description: Creating users parameters: - in: "body" name: "body" required: true schema: $ref: "#/definitions/UserCreate" responses: 200: description: OK schema: $ref: "#/definitions/Success" 209: description: Username already exists 400: description: Bad request schema: $ref: "#/definitions/Error" 403: description: Unauthorized schema: $ref: "#/definitions/Error" /api/users/{id}: get: tags: - Users description: Get a single user parameters: - in: path name: id required: true type: string responses: 200: description: OK schema: $ref: "#/definitions/User" 403: description: Unauthorized schema: $ref: "#/definitions/Error" 404: description: Not Found schema: $ref: "#/definitions/Error" put: tags: - Users description: Updating users parameters: - in: path name: id required: true type: string - in: "body" name: "body" required: true schema: $ref: "#/definitions/UserCreate" responses: 200: description: OK schema: $ref: "#/definitions/Success" 400: description: Bad request schema: $ref: "#/definitions/Error" 403: description: Unauthorized schema: $ref: "#/definitions/Error" delete: tags: - Users description: Deleting users parameters: - in: path name: id type: string required: true responses: 200: description: OK schema: $ref: "#/definitions/Success" 403: description: Unauthorized schema: $ref: "#/definitions/Error" 404: description: Unknown user schema: $ref: "#/definitions/Error" /api/groups: get: tags: - Groups description: Getting user groups responses: 200: description: OK schema: type: array items: $ref: "#/definitions/Group" post: tags: - Groups description: Creating user groups parameters: - in: "body" name: "body" required: true schema: $ref: "#/definitions/UserGroupCreate" responses: 200: description: OK schema: $ref: "#/definitions/Success" 209: description: Group name already exists schema: $ref: "#/definitions/Error" 400: description: Bad request schema: $ref: "#/definitions/Error" 403: description: Unauthorized schema: $ref: "#/definitions/Error" /api/groups/{id}: get: tags: - Groups description: Getting user group parameters: - in: path name: id type: string required: true responses: 200: description: OK schema: $ref: "#/definitions/Group" 403: description: Unauthorized schema: $ref: "#/definitions/Error" put: tags: - Groups description: Updating user group parameters: - in: path name: id type: string required: true - in: "body" name: "body" required: true schema: $ref: "#/definitions/UserGroupCreate" responses: 200: description: OK schema: $ref: "#/definitions/Success" 400: description: Bad request schema: $ref: "#/definitions/Error" 403: description: Unauthorized schema: $ref: "#/definitions/Error" delete: tags: - Groups description: Delete user group parameters: - in: path name: id type: string required: true responses: 200: description: OK schema: $ref: "#/definitions/Success" 403: description: Unauthorized schema: $ref: "#/definitions/Error" 404: description: Group does not exist schema: $ref: "#/definitions/Error" /api/groups/{id}/remove/{userId}: delete: tags: - Groups description: Removing a group member parameters: - in: path name: id type: string required: true - in: path name: userId type: string required: true responses: 200: description: OK schema: $ref: "#/definitions/Success" /api/groups/{id}/add/{userId}: put: tags: - Groups description: Adding a group member parameters: - in: path name: id type: string required: true - in: path name: userId type: string required: true responses: 200: description: OK schema: $ref: "#/definitions/Success" /api/config/jira: get: tags: - Configurations description: Gets the current Jira configuration. responses: 200: description: OK schema: $ref: "#/definitions/JiraConfig" put: tags: - Configurations description: Sets/updates Jira configuration to be used when submitting vulnerability issues. parameters: - in: "body" name: "body" required: true schema: $ref: "#/definitions/JiraConfig" responses: 200: description: OK schema: $ref: "#/definitions/Success" /api/config/jira/triggers: get: tags: - Configurations description: Gets the current Jira trigger configurations. responses: 200: description: OK schema: type: array items: $ref: "#/definitions/ALMTriggerConfig" post: tags: - Configurations description: Creates Jira trigger configuration to be used when submitting vulnerability issues. parameters: - in: "body" name: "body" required: true schema: $ref: "#/definitions/ALMTriggerConfig" responses: 200: description: OK schema: $ref: "#/definitions/Success" /api/config/jira/triggers/{id}: put: tags: - Configurations description: Updates Jira trigger configuration to be used when submitting vulnerability issues. parameters: - in: "body" name: "body" required: true schema: $ref: "#/definitions/ALMTriggerConfig" - in: path name: id type: string required: true responses: 200: description: OK schema: $ref: "#/definitions/Success" delete: tags: - Configurations description: Deletes a Jira trigger corresponding to the ID parameters: - in: path name: id type: string required: true responses: 200: description: OK schema: $ref: "#/definitions/Success" 404: description: OK schema: $ref: "#/definitions/Error" /api/config/azuredevops: get: tags: - Configurations description: Gets the current AzureDevOps configuration. responses: 200: description: OK schema: $ref: "#/definitions/TfsConfig" put: tags: - Configurations description: Sets/updates AzureDevOps configuration to be used when submitting vulnerability issues. parameters: - in: "body" name: "body" required: true schema: $ref: "#/definitions/TfsConfig" responses: 200: description: OK schema: $ref: "#/definitions/Success" /api/config/azuredevops/triggers: get: tags: - Configurations description: Gets the current AzureDevOps trigger configurations. responses: 200: description: OK schema: type: array items: $ref: "#/definitions/ALMTriggerConfig" post: tags: - Configurations description: Creates AzureDevOps trigger configuration to be used when submitting vulnerability issues. parameters: - in: "body" name: "body" required: true schema: $ref: "#/definitions/ALMTriggerConfig" responses: 200: description: OK schema: $ref: "#/definitions/Success" /api/config/azuredevops/triggers/{id}: put: tags: - Configurations description: Updates AzureDevOps trigger configuration to be used when submitting vulnerability issues. parameters: - in: "body" name: "body" required: true schema: $ref: "#/definitions/ALMTriggerConfig" - in: path name: id type: string required: true responses: 200: description: OK schema: $ref: "#/definitions/Success" delete: tags: - Configurations description: Deletes a AzureDevOps trigger corresponding to the ID parameters: - in: path name: id type: string required: true responses: 200: description: OK schema: $ref: "#/definitions/Success" 404: description: OK schema: $ref: "#/definitions/Error" /api/templates: get: tags: - Templates description: 'Retrieves a list of scan configuration templates' parameters: [] responses: 200: description: OK schema: type: array items: $ref: "#/definitions/Template" post: tags: - Templates description: 'Creates a new scan configuration template' parameters: - in: "body" name: "body" required: true schema: $ref: "#/definitions/TemplateCreate" responses: 200: description: OK schema: $ref: "#/definitions/Success" /api/templates/{id}: get: tags: - Templates description: 'Retrieves a scan configuration template corresponding to ID' responses: 200: description: OK schema: $ref: "#/definitions/Template" delete: tags: - Templates description: 'Deletes a scan configuration template corresponding to ID' parameters: - in: path name: id type: string required: true responses: 200: description: OK schema: $ref: "#/definitions/Success" 404: description: OK schema: $ref: "#/definitions/Error" definitions: Application: type: object properties: id: type: string name: type: string metrics: type: object properties: totalScans: type: integer fixedVulnerabilities: type: integer newVulnerabilities: type: integer newHigh: type: integer newMedium: type: integer newLow: type: integer dateCounts: type: array items: type: object properties: date: type: string counts: type: object properties: totalVulnerabilities: type: integer locPerIssue: type: integer vulnTypeCount: type: integer high: type: integer medium: type: integer low: type: integer pcidss: type: integer nist: type: integer owasp: type: integer sansTop25: type: integer parameters: type: object properties: engines: type: array items: type: integer incremental: type: boolean example: true ignoreStoredFP: type: boolean example: false exclusions: type: array items: type: string almTrigger: type: string emailTrigger: type: string slackTrigger: type: string engineParams: type: array items: type: object properties: trackedInputs: type: array items: type: string excludedVulnTypes: type: array items: type: integer depth: type: object properties: maxFunctionDepth: type: integer example: 12 maxVariableTrack: type: integer example: 20 customFilters: type: array items: type: object properties: functionName: type: string filterId: type: string customRules: type: array items: type: object properties: functionName: type: string parameterCount: type: integer vulnParamIndex: type: integer vulnTypeIndex: type: integer description: type: string createdBy: type: string createdTime: type: string ApplicationCreate: type: object properties: name: type: string parameters: type: object properties: engines: type: array items: type: integer incremental: type: boolean example: true ignoreStoredFP: type: boolean example: false exclusions: type: array items: type: string almTrigger: type: string emailTrigger: type: string slackTrigger: type: string engineParams: type: array items: type: object properties: trackedInputs: type: array items: type: string excludedVulnTypes: type: array items: type: integer depth: type: object properties: maxFunctionDepth: type: integer example: 12 maxVariableTrack: type: integer example: 20 customFilters: type: array items: type: object properties: functionName: type: string filterId: type: string customRules: type: array items: type: object properties: functionName: type: string parameterCount: type: integer vulnParamIndex: type: integer vulnTypeIndex: type: integer description: type: string Action: type: object properties: action: type: string value: type: string Engine: type: object properties: id: type: integer example: 1 language: type: string example: Java executable: type: string example: engineJava defaultDepth: type: object properties: maxFunctionDepth: type: integer example: 12 maxVariableTrack: type: integer example: 20 trackedInputs: type: array items: type: string vulnerabilityTypes: type: array items: type: object properties: id: type: integer example: 0 name: type: string example: SQL Injection risk: type: string example: High description: type: string recommendation: type: array items: type: string references: type: array items: type: string cwe: type: object properties: id: type: string title: type: string url: type: string pcidss: type: object properties: section: type: string title: type: string nist: type: object properties: control: type: string priority: type: string title: type: string url: type: string owasp: type: object properties: index: type: string title: type: string url: type: string Scan: type: object properties: id: type: string example: 1 name: type: string example: Project scan languages: type: array items: type: string example: Java status: type: string example: Finished parentAppId: type: string results: type: array items: type: object properties: language: type: string results: type: array items: type: object properties: type: type: object properties: id: type: integer example: 0 name: type: string example: SQL Injection risk: type: string example: High description: type: string recommendation: type: array items: type: string references: type: array items: type: string cwe: type: object properties: id: type: string title: type: string url: type: string pcidss: type: object properties: section: type: string title: type: string nist: type: object properties: control: type: string priority: type: string title: type: string url: type: string owasp: type: object properties: index: type: string title: type: string url: type: string count: type: integer example: 1 vulnerabilities: type: array items: type: object properties: id: type: string signature: type: string type: type: object properties: id: type: integer example: 0 name: type: string example: SQL Injection risk: type: string example: High description: type: string recommendation: type: array items: type: string references: type: array items: type: string cwe: type: object properties: id: type: string title: type: string url: type: string pcidss: type: object properties: section: type: string title: type: string nist: type: object properties: control: type: string priority: type: string title: type: string url: type: string owasp: type: object properties: index: type: string title: type: string url: type: string risk: type: string falsepositive: type: boolean description: type: string sink: type: string sinkCall: type: string sinkFile: type: string inputSource: type: string functionCalls: type: array items: type: object properties: name: type: string line: type: string file: type: string snippet: type: string inputFlow: type: array items: type: object properties: name: type: string line: type: string file: type: string snippet: type: string filter: type: object properties: isFiltered: type: boolean filterTypes: type: object parameters: type: object properties: engines: type: array items: type: integer incremental: type: boolean example: true ignoreStoredFP: type: boolean example: false exclusions: type: array items: type: string almTrigger: type: string emailTrigger: type: string slackTrigger: type: string engineParams: type: array items: type: object properties: trackedInputs: type: array items: type: string excludedVulnTypes: type: array items: type: integer depth: type: object properties: maxFunctionDepth: type: integer example: 12 maxVariableTrack: type: integer example: 20 customFilters: type: array items: type: object properties: functionName: type: string filterId: type: string customRules: type: array items: type: object properties: functionName: type: string parameterCount: type: integer vulnParamIndex: type: integer vulnTypeIndex: type: integer description: type: string stats: type: object properties: duration: type: string totalVulnerabilities: type: integer example: 10 totalFiles: type: integer example: 200 testedFiles: type: integer example: 200 totalLines: type: integer example: 2000 testedLines: type: integer example: 2000 createdBy: type: string example: admin startTime: type: string example: "2020-05-30T14:55:29.955Z" createdTime: type: string example: "2020-05-30T14:55:29.955Z" ScanCreate: type: object properties: name: type: string example: Project scan parentAppId: type: string parameters: type: object properties: engines: type: array items: type: integer incremental: type: boolean example: true ignoreStoredFP: type: boolean example: false exclusions: type: array items: type: string almTrigger: type: string emailTrigger: type: string slackTrigger: type: string engineParams: type: array items: type: object properties: trackedInputs: type: array items: type: string excludedVulnTypes: type: array items: type: integer depth: type: object properties: maxFunctionDepth: type: integer example: 12 maxVariableTrack: type: integer example: 20 customFilters: type: array items: type: object properties: functionName: type: string filterId: type: string customRules: type: array items: type: object properties: functionName: type: string parameterCount: type: integer vulnParamIndex: type: integer vulnTypeIndex: type: integer description: type: string Template: type: object properties: id: type: string name: type: string example: Project scan parameters: type: object properties: engines: type: array items: type: integer incremental: type: boolean example: true ignoreStoredFP: type: boolean example: false exclusions: type: array items: type: string almTrigger: type: string emailTrigger: type: string slackTrigger: type: string engineParams: type: array items: type: object properties: trackedInputs: type: array items: type: string excludedVulnTypes: type: array items: type: integer depth: type: object properties: maxFunctionDepth: type: integer example: 12 maxVariableTrack: type: integer example: 20 customFilters: type: array items: type: object properties: functionName: type: string filterId: type: string customRules: type: array items: type: object properties: functionName: type: string parameterCount: type: integer vulnParamIndex: type: integer vulnTypeIndex: type: integer description: type: string TemplateCreate: type: object properties: name: type: string example: Project scan parameters: type: object properties: engines: type: array items: type: integer incremental: type: boolean example: true ignoreStoredFP: type: boolean example: false exclusions: type: array items: type: string almTrigger: type: string emailTrigger: type: string slackTrigger: type: string engineParams: type: array items: type: object properties: trackedInputs: type: array items: type: string excludedVulnTypes: type: array items: type: integer depth: type: object properties: maxFunctionDepth: type: integer example: 12 maxVariableTrack: type: integer example: 20 customFilters: type: array items: type: object properties: functionName: type: string filterId: type: string customRules: type: array items: type: object properties: functionName: type: string parameterCount: type: integer vulnParamIndex: type: integer vulnTypeIndex: type: integer description: type: string ALM: type: object properties: project: type: string itemType: type: string comment: type: string Comment: type: object properties: body: type: string ReportExport: type: object properties: company: type: string author: type: string email: type: string description: type: string type: type: string level: type: string UserAuth: type: object properties: username: type: string password: type: string UserAuthResponse: type: object properties: token: type: string refreshToken: type: string tokenType: type: string username: type: string role: type: integer UserCreate: type: object properties: username: type: string example: user@organization.com name: type: string password: type: string role: type: integer groups: type: array items: type: object properties: id: type: string name: type: string User: type: object properties: username: type: string name: type: string password: type: string email: type: string role: type: integer apiToken: type: string createdTime: type: string integrated: type: boolean groups: type: array items: type: object properties: id: type: string name: type: string Group: type: object properties: name: type: string description: type: string members: type: array items: type: object properties: id: type: string username: type: string UserGroupCreate: type: object properties: name: type: string description: type: string JiraConfig: type: object properties: jiraServer: type: string authType: type: string username: type: string password: type: string ALMTriggerConfig: type: object properties: name: type: string description: type: string projectName: type: string itemType: type: string condition: type: object properties: totalCount: type: boolean totalCountTrigger: type: integer highRiskCount: type: boolean highRiskCountTrigger: type: integer mediumRiskCount: type: boolean mediumRiskCountTrigger: type: integer lowRiskCount: type: boolean lowRiskCountTrigger: type: integer vulnTypeFound: type: boolean vulnTypeTrigger: type: integer TfsConfig: type: object properties: serverUrl: type: string accessToken: type: string Success: type: object properties: success: type: boolean example: true message: type: string result: type: object Error: type: object properties: success: type: boolean example: false message: type: string result: type: string example: error AppCreateSuccess: type: object properties: success: type: boolean example: true message: type: string result: type: object properties: id: type: string name: type: string