Alerts API

Overview

This resource represents alerts. The Mend application uses alerts to notify users of security vulnerabilities, licensing and compatibility issues, or policy violations, in their open-source code. Alerts can apply in a whole organization, a specific product, or a specific project.

Alerts can have one of three statuses:

  • Active - Alerts that are in active state appear in the dashboards. This is the default status.

  • Ignored - Alerts marked as ignored will not appear in dashboards. You can reactivate ignored alerts, whereby they will revert to active state and be restored in the application and re-appear in dashboards and s.

  • Resolved - Alerts that are no longer relevant will have the resolved status.

This topic showcases the API requests and responses for:

  • Getting all alerts for an organization, product, or project

  • Getting all alerts of a certain type for an organization, product, or project

  • Getting all alerts by project tag (key & value) for an organization

  • Getting ignored alerts for an organization, product, or project

  • Ignoring alerts for an organization, product, or project

  • Setting the of alerts for an organization, product, or project

Alert Types

Alerts can be of the following types:

Alert TypeDescription
NEW_MAJOR_VERSIONA new major version has been released for a library in the inventory.
NEW_MINOR_VERSIONA new minor version has been released for a library in the inventory.
SECURITY_VULNERABILITYA security vulnerability was detected for a library in the inventory.
REJECTED_BY_POLICY_RESOURCEA library that violates a policy is being used.
MULTIPLE_LIBRARY_VERSIONSMultiple versions of the same library are being used.
HIGH_SEVERITY_BUGA High Severity bug was detected for a library.
MULTIPLE_LICENSESMore than one license was identified for a library.
REJECTED_DEFACTO_RESOURCEA library is being used even though it was rejected.

Vulnerability-Based Alerting

When Vulnerability-based Alerting is enabled (see Security Alerts: View By Vulnerability):

  1. The alertUuid is unique per CVE and therefore different for all the vulnerabilities related to the same library.

  2. A new parameter sourceFiles is added to the API response when there is a relationship between a CVE and a source file.

  3. Some additional fields are included in the responses for all scopes: Modified Date, Alert and Comment. These fields are not included when Library-based Alerting mode is enabled.

Security Vulnerability Object

Security alerts contain the Vulnerability object:

"vulnerability": {
	"name": "vulnerability_name",
	"type": "vulnerability_type",
    "severity": "vulnerability_severity",
	"score": cvss_2_vulnerability_score,
	"cvss3_severity": "cvss_3_score_severity",
	"cvss3_score": cvss_3_vulnerability_score,
    "publishDate": "vulnerability_publish_date"	
    "scoreMetadataVector": "cvss_3_metadata_vector",
	"url": "URL_of_vulnerability" 
    "description": "vulnerability_description",
	"topFix": {
    	"vulnerability": "vulnerability_fix_name",
      	"type": "vulnerability_fix_type",
      	"origin": "origin_of_fix",
      	"url": "URL_of_fix",
      	"fixResolution": "fix_resolution",
      	"date": "date_of_fix",
     	"message": "summary_of_fix",
      	"extraData": "additional_data_on_fix"
   },
   "allFixes": [{
   		"vulnerability": "vulnerability_fix_name",
        "type": "vulnerability_fix_type",
        "origin": "origin_of_fix",
        "url": "URL_of_fix",
        "fixResolution": "fix_resolution",
        "date": "date_of_fix",
        "message": "details_on_fix",
        "extraData": "additional_data"
   }]
}

Note: topFix & allFixes objects are only displayed when a fix is available for the specific vulnerability

The Vulnerability object has the following parameters:

ParameterValue
nameID in the vulnerability DB (CVE or WS)
typeCVE or WS
severitySeverity of the CVSS 2 vulnerability (low, medium, high)
scoreCVSS 2 base score [0.0 - 10.0]
cvss3_severityCVSS 3 score severity: 

* 0-3.9 = Low 

* 4-6.9 = Medium 

* 7-10 = High
cvss3_scoreCVSS 3 base score [0.0 - 10.0]
scoreMetadataVectorSee specification link
publishDateOriginal release date
urlURL of the CVE
descriptionShort description of the security vulnerability
topFixTop recommended fix (when available)
allFixesList of all fixes (when available)
extraDataPackage level fix information is included in topFix and allfixes when the following paramater is set in any API call below "excludeExtraData": false,

The default value is true and is only recommended at the project level as this returns large datasets.
fixResolutionTextThe actual resolution text to display for the given fix

Vulnerability-Based Security Alerts

For details of API requests to generate reports of all security alerts detailed by vulnerability (in the scope of organization, product, or project), see Security Alerts by Vulnerability Report.

For details of API requests to generate reports of all vulnerability-based alerts that are associated with a specific library (in the scope of organization, product, or project), see Get Security Alerts by Library Report.

Get Alerts

Get Alerts - Organization

Get all alerts for a specific organization.

QUERY PARAMETERS

ParameterDescriptionTypeRequired
requestTypeAPI request type that returns all the alerts in an organization.stringYes
userKeyThe ID of the user’s profile, which uniquely identifies the user in mend.stringYes
orgTokenAPI key which is a unique identifier of the organization.stringYes

Request Example

{
    "requestType" : "getOrganizationAlerts",
     "userKey": "user_key",
    "orgToken" : "organization_api_key"
}

Response Example

The response is a JSON collection of all the alerts in the organization with their details. For example:

{
    "alerts": [
        {
            "type": "REJECTED_BY_POLICY_RESOURCE",
            "level": "MAJOR",
            "library": {
                "keyUuid": "3c0f701b-1315-43ed-b94b-a14447f46a4a",
                "keyId": 36637701,
                "filename": "ini-1.3.5.tgz",
                "type": "javascript/Node.js",
                "languages": "javascript/Node.js",
                "description": "An ini encoder/decoder for node",
                "references": {
                    "url": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz",
                    "homePage": "https://github.com/isaacs/ini#readme",
                    "genericPackageIndex": "https://www.npmjs.org/package/ini"
                },
                "sha1": "eee25f56db1c9ec6085e0c22778083f596abf927",
                "name": "ini",
                "artifactId": "ini-1.3.5.tgz",
                "version": "1.3.5",
                "groupId": "ini",
                "licenses": [
                    {
                        "name": "ISC",
                        "spdxName": "ISC",
                        "url": "http://www.opensource.org/licenses/ISC",
                        "profileInfo": {
                            "copyrightRiskScore": "THREE",
                            "patentRiskScore": "THREE",
                            "copyleft": "NO",
                            "linking": "NON_VIRAL",
                            "royaltyFree": "NO"
                        },
                       ...........

Get Alerts - Product

Get all alerts for a specific product.

QUERY PARAMETERS

ParameterDescriptionTypeRequired
requestTypeAPI request type that returns all the alerts for a product.stringYes
userKeyThe ID of the user’s profile, which uniquely identifies the user in mend.stringYes
productTokenUnique identifier of the product.stringYes

Request Example

{
    "requestType" : "getProductAlerts",
    "userKey": "user_key",
    "productToken" : "product_token"
}

Response Example

The response is a JSON collection of all the alerts in the product with their details. For example:

{
    "alerts": [
        {
            "type": "REJECTED_BY_POLICY_RESOURCE",
            "level": "MAJOR",
            "library": {
                "keyUuid": "c147bc0a-41f9-4867-b056-b4fc8a7dbac4",
                "keyId": 66142625,
                "filename": "Pillow-5.2.0.tar.gz",
                "type": "Python",
                "languages": "Python",
                "description": "Python Imaging Library (Fork)",
                "references": {
                    "url": "https://files.pythonhosted.org/packages/d3/c4/b45b9c0d549f482dd072055e2d3ced88f3b977f7b87c7a990228b20e7da1/Pillow-5.2.0.tar.gz",
                    "homePage": "https://python-pillow.org",
                    "genericPackageIndex": "https://pypi.python.org/pypi/Pillow/5.2.0"
                },
                "sha1": "7d0f97e23425418f2e4c9ee51fc3bcb9ee71ec60",
                "name": "Pillow",
                "artifactId": "Pillow-5.2.0.tar.gz",
                "version": "5.2.0",
                "groupId": "Pillow",
                "licenses": [
                    {
                        "name": "PIL Software License",
                        "url": "http://www.pythonware.com/products/pil/license.htm",
                        "references": [
                            {
                                "referenceType": "Project home page",
                                "reference": "https://github.com/python-pillow/Pillow/blob/master/LICENSE"
                            }
                        ]
                    }
                ]
             ...........                       

Get Alerts - Project

Get all alerts for a specific project.

QUERY PARAMETERS

ParameterDescriptionTypeRequired
requestTypeAPI request type that returns all the alerts for a project.stringYes
userKeyThe ID of the user’s profile, which uniquely identifies the user in mend.stringYes
projectTokenUnique identifier of the project.stringYes
reachabilityProvides details about reachability for projects that include reachability information.

Request Example

{
    "requestType" : "getProjectAlerts",
    "userKey": "user_key",
    "projectToken" : "project_token",
    "reachability" : "false"
}

Response Example

The response is a JSON collection of all the alerts in the project with their details. For example:

{
    "alerts":
    [
        {
            "vulnerability":
            {
                "name": "CVE-2016-3674",
                "type": "CVE",
                "severity": "medium",
                "score": 5.0,
                "cvss3_severity": "high",
                "cvss3_score": 7.5,
                "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "publishDate": "2016-05-17",
                "lastUpdated": "2018-03-26",
                "url": "https://www.mend.io/vulnerability-database/CVE-2016-3674",
                "description": "Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.",
                "topFix":
                {
                    "vulnerability": "CVE-2016-3674",
                    "type": "UPGRADE_VERSION",
                    "origin": "WHITESOURCE_EXPERT",
                    "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674",
                    "fixResolution": "1.4.9",
                    "date": "2016-05-17",
                    "message": "Upgrade to version"
                },
                "allFixes":
                [
                    {
                        "vulnerability": "CVE-2016-3674",
                        "type": "UPGRADE_VERSION",
                        "origin": "WHITESOURCE_EXPERT",
                        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674",
                        "fixResolution": "1.4.9",
                        "date": "2016-05-17",
                        "message": "Upgrade to version"
                    },
                    {
                        "vulnerability": "CVE-2016-3674",
                        "type": "UPGRADE_VERSION",
                        "origin": "SECURITY_TRACKER",
                        "url": "http://www.securitytracker.com/id/1036419",
                        "fixResolution": "IBM has issued a fix (8.53 FP6 Interim Fix 14, 9.01 FP6 Interim Fix 2).\n\nThe IBM advisory is available at:\n\nhttp://www-01.ibm.com/support/docview.wss?uid=swg21985960",
                        "message": "IBM Lotus Domino XML External Entity Processing Flaw in XStream Lets Remote Users Obtain Potentially Sensitive Information"
                    }
                ],
                "fixResolutionText": "Upgrade to version 1.4.9",
                "threatAssessment":
                {
                    "exploitCodeMaturity": "NOT_DEFINED",
                    "epssPercentage": 0.2
                },
                "references":
                []
            },
...........

Get Alerts by Project Tag

Project tags are key value pairs that provide additional metadata for projects, enabling users to label and search for their products or projects according to predefined categories (such as, development, production).

This API request allows you to get alerts in your project that have a specific tag or label.

Important Notes about this API

When Vulnerability-based Alerting is enabled (see Security Alerts: View By Vulnerability):

  1. The alertUuid is unique per CVE and therefore different for all the vulnerabilities related to the same library.

  2. A new parameter sourceFiles is added to the API response when there is a relationship between a CVE and a source file.

  3. Some additional fields are included in the responses for all scopes: Modified Date, Alert and Comment. These fields are not included when Library-based Alerting mode is enabled.

QUERY PARAMETERS

ParameterDescriptionTypeRequired
requestTypeAPI request type that returns all alerts in the organization that have a specific project tag.stringYes
userKeyThe ID of the user’s profile, which uniquely identifies the user in mend.stringYes
orgTokenAPI key which is a unique identifier of the organization.stringYes
tagKeyLabel that describes the tag.stringYes
tagValueValue assigned to the tag.stringYes

Request Example

{
    "requestType": "getAlertsByProjectTag",
    "orgToken": "organization_api_key",
    "userKey": "user_key",
    "tagKey": "status",
    "tagValue": "production" 
  }

Response Example

The response is a JSON collection of all the alerts in the organization with the specified project tag. For example:

{
    "apiAlertInfo": [
        {
            "vulnerability": {
                "name": "CVE-2020-10673",
                "type": "CVE",
                "severity": "medium",
                "score": 6.8,
                "cvss3_severity": "high",
                "cvss3_score": 8.8,
                "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "publishDate": "2020-03-18",
                "url": "https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-10673",
                "description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).",
                "topFix": {
                    "vulnerability": "CVE-2020-10673",
                    "type": "UPGRADE_VERSION",
                    "origin": "mend_EXPERT",
                    "url": "https://github.com/FasterXML/jackson-databind/issues/2660",
                    "fixResolution": "com.fasterxml.jackson.core:jackson-databind:2.9.10.4",
                    "date": "2020-03-18",
                    "message": "Upgrade to version"
                },
                "allFixes": [
                    {
                        "vulnerability": "CVE-2020-10673",
                        "type": "UPGRADE_VERSION",
                        "origin": "mend_EXPERT",
                        "url": "https://github.com/FasterXML/jackson-databind/issues/2660",
                        "fixResolution": "com.fasterxml.jackson.core:jackson-databind:2.9.10.4",
                        "date": "2020-03-18",
                        "message": "Upgrade to version"
                    },
                    
                                ]
            ........      

Get Ignored Alerts

Get a list of ignored alerts per scope (organization, product, or project).

Important Notes about this API

When Vulnerability-based Alerting is enabled (see Security Alerts: View By Vulnerability):

  1. The alertUuid is unique per CVE and therefore different for all the vulnerabilities related to the same library.

  2. A new parameter sourceFiles is added to the API response when there is a relationship between a CVE and a source file.

  3. Some additional fields are included in the responses for all scopes: Modified Date, Alert and Comment. These fields are not included when Library-based Alerting mode is enabled.

Get Ignored Alerts - Organization

Get all ignored alerts for a specific organization.

QUERY PARAMETERS

ParameterDescriptionTypeRequired
requestTypeAPI request type that returns all the ignored alerts in an organization.stringYes
userKeyThe ID of the user’s profile, which uniquely identifies the user in mend.stringYes
orgTokenAPI key which is a unique identifier of the organization.stringYes

Request Example

{
    "requestType" : "getOrganizationIgnoredAlerts",
    "userKey":"user_key",
    "orgToken":"organization_api_key" 
}

Response Example

The response is a JSON collection of the ignored alerts in the organization with their details. For example:

{
    "alerts": [
        {
            "vulnerability": {
                "name": "WS-2019-0379",
                "type": "WS",
                "severity": "medium",
                "score": 6.5,
                "cvss3_severity": "medium",
                "cvss3_score": 6.5,
                "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "publishDate": "2019-05-20",
                "url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113",
                "description": "Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.",
                "topFix": {
                    "vulnerability": "WS-2019-0379",
                    "type": "UPGRADE_VERSION",
                    "origin": "mend_EXPERT",
                    "url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113",
                    "fixResolution": "1.13-RC1",
                    "date": "2019-05-12",
                    "message": "Upgrade to version"
                },
                "allFixes": [],
                "fixResolutionText": "Upgrade to version 1.13-RC1",
                "references": []
            },
             ...........
                             

Get Ignored Alerts - Product

Get all ignored alerts for a specific product.

QUERY PARAMETERS

ParameterDescriptionTypeRequired
requestTypeAPI request type that returns all the ignored alerts for a product.stringYes
userKeyThe ID of the user’s profile, which uniquely identifies the user in mend.stringYes
productTokenUnique identifier of the product.stringYes

Request Example

{
    "requestType" : "getProductIgnoredAlerts",
    "userKey": "user_key",
    "productToken" : "product_token"
}

Response Example

The response is a JSON collection of the ignored alerts in the product with their details. For example:

{
    "alerts": [
        {
            "vulnerability": {
                "name": "CVE-2018-10237",
                "type": "CVE",
                "severity": "medium",
                "score": 4.3,
                "cvss3_severity": "medium",
                "cvss3_score": 5.9,
                "scoreMetadataVector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "publishDate": "2018-04-26",
                "url": "https://vuln.whitesourcesoftware.com/vulnerability/CVE-2018-10237",
                "description": "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.",
                "topFix": {
                    "vulnerability": "CVE-2018-10237",
                    "type": "UPGRADE_VERSION",
                    "origin": "mend_EXPERT",
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237",
                    "fixResolution": "24.1.1-jre, 24.1.1-android",
                    "date": "2018-04-26",
                    "message": "Upgrade to version"
                },
                "allFixes": [
                    {
                        "vulnerability": "CVE-2018-10237",
                        "type": "UPGRADE_VERSION",
                        "origin": "mend_EXPERT",
                        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237",
                        "fixResolution": "24.1.1-jre, 24.1.1-android",
                        "date": "2018-04-26",
                        "message": "Upgrade to version"
                    },
                    {
                        "vulnerability": "CVE-2018-10237",
                        "type": "UPGRADE_VERSION",
                        "origin": "SECURITY_TRACKER",
                        "url": "http://www.securitytracker.com/id/1041707",
                        "fixResolution": "Red Hat has issued a fix.\n\nThe Red Hat advisory is available at:\n\nhttps://access.redhat.com/errata/RHSA-2018:2740\nhttps://access.redhat.com/errata/RHSA-2018:2741\nhttps://access.redhat.com/errata/RHSA-2018:2742\nhttps://access.redhat.com/errata/RHSA-2018:2743",
                        "message": "Red Hat JBoss EAP Component Errors Let Remote Users Deny Service and Remote Authenticated Users Gain Potentially Sensitive Information",
                        "extraData": "key=1041707"
                    },
                    ...........                                       

Get Ignored Alerts - Project

Get all ignored alerts for a specific project.

QUERY PARAMETERS

ParameterDescriptionTypeRequired
requestTypeAPI request type that returns all the ignored alerts for a project.stringYes
userKeyThe ID of the user’s profile, which uniquely identifies the user in mend.stringYes
projectTokenUnique identifier of the project.stringYes

Request Example

{
    "requestType" : "getProjectIgnoredAlerts",
    "userKey": "user_key",
    "projectToken" : "project_token"
}

Response Example

The response is a JSON collection of the ignored alerts in the project with their details. For example:

{
    "alerts": [
        {
            "vulnerability": {
                "name": "WS-2019-0379",
                "type": "WS",
                "severity": "medium",
                "score": 6.5,
                "cvss3_severity": "medium",
                "cvss3_score": 6.5,
                "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "publishDate": "2019-05-20",
                "url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113",
                "description": "Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.",
                "topFix": {
                    "vulnerability": "WS-2019-0379",
                    "type": "UPGRADE_VERSION",
                    "origin": "mend_EXPERT",
                    "url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113",
                    "fixResolution": "1.13-RC1",
                    "date": "2019-05-12",
                    "message": "Upgrade to version"
                },
                "allFixes": [],
                "fixResolutionText": "Upgrade to version 1.13-RC1",
                "references": []
            },
            "type": "SECURITY_VULNERABILITY",
            "level": "MAJOR",
            "library": {
                "keyUuid": "83cf3655-de66-411b-ba19-fdf2d3cc2067",
                "keyId": 111269430,
                "filename": "commons-codec-1.9.jar",
                "type": "Java",
                "description": "The Apache Commons Codec package contains simple encoder and decoders for\n     various formats such as Base64 and Hexadecimal.  In addition to these\n     widely used encoders and decoders, the codec package also maintains a\n     collection of phonetic encoding utilities.",
                "references": {
                    "pomUrl": "https://repo.maven.apache.org/maven2/commons-codec/commons-codec/1.9/commons-codec-1.9.pom"
                },
                ...........

Get Alerts by Type

Get all alerts of a certain type for a given organization, a specific product, or specific project, according to your role permissions.

Important Notes about this API

When Vulnerability-based Alerting is enabled (see Security Alerts: View By Vulnerability):

  1. The alertUuid is unique per CVE and therefore different for all the vulnerabilities related to the same library.

  2. A new parameter sourceFiles is added to the API response when there is a relationship between a CVE and a source file.

  3. Some additional fields are included in the responses for all scopes: Modified Date, Alert and Comment. These fields are not included when Library-based Alerting mode is enabled.

Note: About fromDate and toDate: These parameters are evaluated as “midnight at the start of that date”. Therefore fromDate means from midnight and all of that day, while toDate means until midnight at the start of that day, but not including that day.

Get Alerts by Type - Organization

Get alerts of a certain type for a given organization.

QUERY PARAMETERS

ParameterDescriptionTypeRequiredDefault/Values
requestTypeAPI request type that returns all the alerts in an organization according to the specified alert type.stringYes
orgTokenAPI key which is a unique identifier of the organization.stringYes
userKeyThe ID of the user’s profile, which uniquely identifies the user in mend.stringYes
alertTypeThe type of alerts.

A detailed description of the permitted alert types is provided in Alert Types above.
stringYesPermitted alert type values:

NEW_MAJOR_VERSION

NEW_MINOR_VERSION

SECURITY_VULNERABILITY

REJECTED_BY_POLICY_RESOURCE

MULTIPLE_LIBRARY_VERSIONS

HIGH_SEVERITY_BUG

MULTIPLE_LICENSES

REJECTED_DEFACTO_RESOURCE
fromDateThe first date in the time period during which the alerts were created or modified, with the start time assumed to be 00:00 at the start of this date.
When fromDate is not specified, the beginning of time will be assumed.
stringNoTime is GMT. Format is:
YYYY-MM-DD or YYYY-MM-DD HH-MM-SS (if time is also specified).
toDateThe last date in the time period during which the alerts were created or modified, with the end time assumed to be 00:00 at the start of this date. When toDate is not specified, the current date and time will be assumed.stringNoTime is GMT. Format is:
YYYY-MM-DD or YYYY-MM-DD HH-MM-SS (if time is also specified).

Request Example

{
    "requestType": "getOrganizationAlertsByType",
    "userKey": "user_key",
    "alertType": "alert_type",
    "orgToken": "organization_api_key",
    "fromDate": "2020-09-01"
}

Response Example

A JSON collection listing the alerts of the specified type that were generated in the specified scope (organization, product, or project) and within the specified date range:

{
    "alerts": [
        {
            "vulnerability": {
                "name": "CVE-2020-28168",
                "type": "CVE",
                "severity": "medium",
                "score": 4.3,
                "cvss3_severity": "medium",
                "cvss3_score": 5.9,
                "scoreMetadataVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "publishDate": "2020-11-06",
                "url": "https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-28168",
                "description": "Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.",
                "allFixes": [],
                "threatAssessment": {
                    "exploitCodeMaturity": "POC_CODE",
                    "epssPercentage": 0.23
                  },
                "references": []
            },
            "type": "SECURITY_VULNERABILITY",
            "level": "MAJOR",
            "library": {
                "keyUuid": "811031a9-bfee-44c0-bd1f-1aec280d4bed",
                "keyId": 100088875,
                "filename": "axios-0.19.2.tgz",
                "type": "javascript/Node.js",
                "languages": "javascript/Node.js",
                "description": "Promise based HTTP client for the browser and node.js",
                "references": {
                    "url": "https://registry.npmjs.org/axios/-/axios-0.19.2.tgz",
                    "homePage": "https://github.com/axios/axios",
                    "genericPackageIndex": "https://www.npmjs.org/package/axios"
                },
                "sha1": "3ea36c5d8818d0d5f8a8a97a6d36b86cdc00cb27",
                "name": "axios",
                "artifactId": "axios-0.19.2.tgz",
                "version": "0.19.2",
                "groupId": "axios",
                "licenses": [
                    {
                        "name": "MIT",
                        "spdxName": "MIT",
                        "url": "http://www.opensource.org/licenses/MIT",
                        "profileInfo": {
                            "copyrightRiskScore": "THREE",
                            "patentRiskScore": "ONE",
                            "copyleft": "NO",
                            "royaltyFree": "YES"
                        },           

Get Alerts by Type - Product

Get alerts of a certain type for a given product.

QUERY PARAMETERS

ParameterDescriptionTypeRequiredDefault/Values
requestTypeAPI request type that returns all the alerts generated for a product according to the specified alert type.stringYes
productTokenUnique identifier of the product.stringYes
userKeyThe ID of the user’s profile, which uniquely identifies the user in mend.stringYes
alertTypeThe type of alert. For a detailed description, see Alert Types.stringYesPermitted alert type values:

NEW_MAJOR_VERSION

NEW_MINOR_VERSION

SECURITY_VULNERABILITY

REJECTED_BY_POLICY_RESOURCE

MULTIPLE_LIBRARY_VERSIONS

HIGH_SEVERITY_BUG

MULTIPLE_LICENSES

REJECTED_DEFACTO_RESOURCE
fromDateThe first date in the time period during which the alerts were created or modified, with the start time assumed to be 00:00 at the start of this date. When fromDate is not specified, the beginning of time will be assumed.stringNoTime is GMT. Format is:
YYYY-MM-DD or YYYY-MM-DD HH-MM-SS (if time is also specified).
toDateThe last date in the time period during which the alerts were created or modified, with the end time assumed to be 00:00 at the start of this date. When toDate is not specified, the current date and time will be assumed.stringNoTime is GMT. Format is:
YYYY-MM-DD or YYYY-MM-DD HH-MM-SS (if time is also specified).

Request Example

{
    "requestType": "getProductAlertsByType",
    "userKey": "user_key",
    "alertType": "SECURITY_VULNERABILITY", //just an example
    "productToken": "product_token",
    "fromDate": "2010-09-01",
    "toDate": "2021-12-31"
}

Response Example

{
    "alerts": [
        {
            "vulnerability": {
                "name": "CVE-2010-2076",
                "type": "CVE",
                "severity": "high",
                "score": 7.5,
                "publishDate": "2010-08-19",
                "url": "https://vuln.whitesourcesoftware.com/vulnerability/CVE-2010-2076",
                "description": "Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632.",
                "topFix": {
                    "vulnerability": "CVE-2010-2076",
                    "type": "UPGRADE_VERSION",
                    "origin": "mend_EXPERT",
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2076",
                    "fixResolution": "2.0.13,2.1.10,2.2.9",
                    "date": "2010-08-19",
                    "message": "Upgrade to version",
                    "extraData":"{\"packageLevelFix\":[{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-rt-bindings-soap\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.1, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9)\",\"affectedRange\":\"\>=2.1 \<2.1.10\",\"minFixVersion\":\"2.1.10\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-common-utilities\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9)\",\"affectedRange\":\"\>=2.1.1 \<2.1.10\",\"minFixVersion\":\"2.1.10\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-common-utilities\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12)\",\"affectedRange\":\"\>=2.0.6 \<2.0.13\",\"minFixVersion\":\"2.0.13\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-rt-bindings-soap\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.6-fuse-01-01, 2.2.7, 2.2.8)\",\"affectedRange\":\"\>=2.2 \<2.2.9\",\"minFixVersion\":\"2.2.9\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-common-utilities\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.6-fuse-01-01, 2.2.7, 2.2.8)\",\"affectedRange\":\"\>=2.2.1 \<2.2.9\",\"minFixVersion\":\"2.2.9\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-rt-bindings-soap\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12)\",\"affectedRange\":\"\>=2.0.6 \<2.0.13\",\"minFixVersion\":\"2.0.13\"}]}"
                },
                "allFixes": [
                    {
                        "vulnerability": "CVE-2010-2076",
                        "type": "UPGRADE_VERSION",
                        "origin": "mend_EXPERT",
                        "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2076",
                        "fixResolution": "2.0.13,2.1.10,2.2.9",
                        "date": "2010-08-19",
                        "message": "Upgrade to version",
                        "extraData":"{\"packageLevelFix\":[{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-rt-bindings-soap\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.1, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9)\",\"affectedRange\":\"\>=2.1 \<2.1.10\",\"minFixVersion\":\"2.1.10\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-common-utilities\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9)\",\"affectedRange\":\"\>=2.1.1 \<2.1.10\",\"minFixVersion\":\"2.1.10\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-common-utilities\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12)\",\"affectedRange\":\"\>=2.0.6 \<2.0.13\",\"minFixVersion\":\"2.0.13\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-rt-bindings-soap\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.6-fuse-01-01, 2.2.7, 2.2.8)\",\"affectedRange\":\"\>=2.2 \<2.2.9\",\"minFixVersion\":\"2.2.9\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-common-utilities\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.6-fuse-01-01, 2.2.7, 2.2.8)\",\"affectedRange\":\"\>=2.2.1 \<2.2.9\",\"minFixVersion\":\"2.2.9\"},{\"cveIdentifier\":\"CVE-2010-2076\",\"packageName\":\"org.apache.cxf:cxf-rt-bindings-soap\",\"packageType\":\"JAVA\",\"affectedVersions\":\"(2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12)\",\"affectedRange\":\"\>=2.0.6 \<2.0.13\",\"minFixVersion\":\"2.0.13\"}]}"
                    }
                ],
                "fixResolutionText": "Upgrade to version 2.0.13,2.1.10,2.2.9",
                "threatAssessment": {
                    "exploitCodeMaturity": "HIGH",
                    "epssPercentage": 0.87
                },
                "references": []
            },
            "type": "SECURITY_VULNERABILITY",
            "level": "MAJOR",
            "library": {
                "keyUuid": "c0a07bfe-dd9a-4caa-84f8-d99404b13496",
                "keyId": 332377,
                "filename": "cxf-common-utilities-2.2.7.jar",
                "type": "Java",
                "resolvedType": "Java",
                "references": {
                    "url": "http://cxf.apache.org",
                    "issueUrl": "https://issues.apache.org/jira/browse/CXF",
                    "pomUrl": "https://repo.maven.apache.org/maven2/org/apache/cxf/cxf-common-utilities/2.2.7/cxf-common-utilities-2.2.7.pom"
                },
                "sha1": "b378945db083d216a2aff1956c1c3ae968a2adf0",
                "name": "Apache CXF Common Utilities",
                "artifactId": "cxf-common-utilities",
                "version": "2.2.7",
                "groupId": "org.apache.cxf"
            },
            "project": "Demo Data",
            "projectId": 1559006,
            "projectToken": "5715a92ea3d345d29512481363d8f9751b87c8fb50c44c46a44e81e90e7407e6",
            "directDependency": true,
            "description": "High:1",
            "date": "2021-09-05",
            "modifiedDate": "2021-09-05",
            "status": "OPEN",
            "time": 1630800000000,
            "alertUuid": "93de3f9b-fc34-4cab-9e58-916a368fa546"
        }
    ]
}

Get Alerts by Type - Project

Get alerts of a certain type for a given project.

QUERY PARAMETERS

ParameterDescriptionTypeRequiredDefault/Values
requestTypeAPI request type that returns all the alerts generated for a project according to the specified alert type.stringYes
projectTokenUnique identifier of the project.stringYes
userKeyThe ID of the user’s profile, which uniquely identifies the user in mend.stringYes
alertTypeThe type of alert. For a detailed description, see Alert Types.stringYesPermitted alert type values:

NEW_MAJOR_VERSION

NEW_MINOR_VERSION

SECURITY_VULNERABILITY

REJECTED_BY_POLICY_RESOURCE

MULTIPLE_LIBRARY_VERSIONS

HIGH_SEVERITY_BUG

MULTIPLE_LICENSES

REJECTED_DEFACTO_RESOURCE
extractFixVersionFromExtraDataCustomize the behavior of the extraData field in the API response to extract the fix vulnerbility version (minimalFixVersion). You can control its behavior using the available values:

* true - Only the minimalFixVersion information is extracted from the extraData field, and no other data is included in the API response (extraData = null).
This option is ideal when you specifically require the minimalFixVersion and wish to exclude any additional information from the response. This option can significantly reduce response size.

* false - The extraData field and its all content are included in the API response.
booleanNofalse
fromDateThe first date in the time period during which the alerts were created or modified, with the start time assumed to be 00:00 at the start of this date. When fromDate is not specified, the beginning of time will be assumed.stringNoTime is GMT. Format is:
YYYY-MM-DD or YYYY-MM-DD HH-MM-SS (if time is also specified).
toDateThe last date in the time period during which the alerts were created or modified, with the end time assumed to be 00:00 at the start of this date. When toDate is not specified, the current date and time will be assumed.stringNoTime is GMT. Format is:
YYYY-MM-DD or YYYY-MM-DD HH-MM-SS (if time is also specified).

Request Example

{
    "requestType": "getProjectAlertsByType",
    "userKey": "user_key",
    "alertType": "alert_type",
    "projectToken": "project_token",
    "fromDate": "2020-09-01",
    "toDate": "2020-12-31"
}

Response Example

{
            "vulnerability": {
                "name": "CVE-2022-43441",
                "type": "CVE",
                "severity": "high",
                "score": 9.8,
                "cvss3_severity": "high",
                "cvss3_score": 9.8,
                "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "publishDate": "2023-03-16",
                "lastUpdated": "2023-03-22",
                "url": "https://www.mend.io/vulnerability-database/CVE-2022-43441",
                "description": "A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.",
                "topFix": {
                    "vulnerability": "CVE-2022-43441",
                    "type": "UPGRADE_VERSION",
                    "origin": "WHITESOURCE_EXPERT",
                    "url": "https://github.com/advisories/GHSA-jqv5-7xpx-qj74",
                    "fixResolution": "sqlite3 - 5.1.5",
                    "date": "2023-03-16",
                    "message": "Upgrade to version"
                },
                "allFixes": [],
                "fixResolutionText": "Upgrade to version sqlite3 - 5.1.5",
                "threatAssessment": {
                    "exploitCodeMaturity": "NOT_DEFINED",
                    "epssPercentage": 0.14
                },
                "references": []
            },
            "reachabilityInfo": {
                "reachable": false,
                "analyzed": false
            },
            "type": "SECURITY_VULNERABILITY",
            "level": "MAJOR",
            "library": {
                "keyUuid": "adf241f5-f55d-4a6e-aa82-11039352783c",
                "keyId": 246075373,
                "filename": "sqlite3-5.1.4.tgz",
                "type": "javascript/Node.js",
                "resolvedType": "javascript/Node.js",
                "languages": "javascript/Node.js",
                "description": "",
                "references": {
                    "url": "https://registry.npmjs.org/sqlite3/-/sqlite3-5.1.4.tgz",
                    "homePage": "https://github.com/TryGhost/node-sqlite3",
                    "genericPackageIndex": "https://www.npmjs.org/package/sqlite3"
                },
                "sha1": "35f83d368963168b324ad2f0fffce09f3b8723a7",
                "name": "sqlite3",
                "artifactId": "sqlite3-5.1.4.tgz",
                "version": "5.1.4",
                "groupId": "sqlite3"
            },
            "project": "Demo Data",
            "projectId": 1559006,
            "projectToken": "5715a92ea3d345d29512481363d8f9751b87c8fb50c44c46a44e81e90e7407e6",
            "directDependency": true,
            "description": "High:1",
            "date": "2023-03-28",
            "modifiedDate": "2023-03-28",
            "status": "OPEN",
            "time": 1680040418000,
            "alertUuid": "0eb70cb7-7abf-41b7-9712-f5f578daa381"
        }

Ignore Alerts

By default, alerts are in an active state and will appear in dashboards. If they are no longer relevant, you can change their status to ignored and they will no longer be displayed.

This API request enables users with the Org Admin role permissions to ignore alerts according to their unique identifier. You can use any alert-related API to get the unique identifier (alertUuid) of a particular alert.

Note: The ignoreAlerts API is used to ignore an individual alert using its unique identifier.  Alerts are for a specific occurrence of a vulnerability (CVE or WS) within a project.  If the same vulnerability occurs in multiple projects, each will have a different unique identifier.  When using the ignoreAlerts API, there is no need to specify the product and project because the alertUuids identify the alert down to the project level. The ignoreAlerts API can be used to apply a list of CVEs that need to be ignored.  Once a scan is completed to a new project, the list of alerts can be retrieved using the getProjectAlerts, getProductAlerts, or the getOrganizationAlerts API endpoints.  The results can then be reviewed against a list of CVEs that need to be ignored, then the ignoreAlerts API can be called with their specific alertUuids.  This would not need to be done for scans to preexisting projects, only to new projects.

Ignore Alerts - Organization

Change alert status from active to ignored for an organization.

QUERY PARAMETERS

ParameterDescriptionTypeRequired
requestTypeAPI request type that ignores alerts in an organization.stringYes
userKeyThe ID of the user’s profile, which uniquely identifies the user in mend.stringYes
orgTokenAPI key which is a unique identifier of the organization.stringYes
alertUuidsUnique IDs of the alerts to be ignored.

NOTE: The alertUuid is unique per CVE and therefore different for all the vulnerabilities related to the same library.
arrayYes
commentsText comment describing why the alerts should be ignored.stringYes

Request Example

{
  "requestType":"ignoreAlerts",
  "orgToken": "organization_api_key",
  "userKey": "user_key",
  "alertUuids": ["22f72c74-c2ea-4ed9-b37f-75d77bc52045","174a332b-7470-436b-82fe-c6e4644362e0"],
  "comments": "alerts not relevant to service"
}

Response Example

{
    "message": "Successfully ignored alerts"
}

Set Alerts Status for an Organization

Alerts can be in Active or Ignored status.

This API request enables users with the Org Admin role to set the status of alert(s) according to their unique identifier.

NOTE: This API can also be used to change the alert's comments.

QUERY PARAMETERS

ParameterDescriptionTypeRequired
requestTypeAPI request type that sets the alerts status in an organization.stringYes
userKeyThe ID of the user’s profile, which uniquely identifies the user in mend.stringYes
orgTokenAPI key which is a unique identifier of the organization.stringYes
alertUuidsUnique IDs of the alerts for which you want to change their status.

NOTE: The alertUuid is unique per CVE and therefore different for all the vulnerabilities related to the same library.
arrayYes
commentsFree text comment describing why the alerts should be changed.stringNo
statusSet the alert(s) to the specified status (Active or Ignored).stringYes

Request Example

Change alert status from Ignored to Active for an organization:

{
    "requestType":"setAlertsStatus",
    "orgToken":"organization_api_key",
    "userKey": "user_key",
    "alertUuids": ["alert1_UUID", "alert2_UUID"],
    "comments": "Enter your comment here",
    "status": "Active"
}

Response Example

{
    "message": "Successfully set the alert's status"
}