Legacy SAST API
/
Findings
/
Get a list of scan findings

Mend SAST API (24.9.2.5)

Mend Static Application Security Testing Solution Web API

Download OpenAPI description
sast-api.json
sast-api.yaml
Overview
Mend Support support@mend.io
Languages
Servers
https://api-docs.mend.io/sast/

Applications

Operations

Configurations

Operations

SAST Engines

Operations

Groups

Operations

Users

Operations

Scans

Operations

Templates

Operations

Findings

Operations

Selectively update multiple findings

Request

Selectively update multiple findings.

Path
scanIdstringrequired

ID of the scan in which the findings to update exist

Bodyapplication/jsonrequired

DTO with finding properties to update (unset properties will not be changed)

findingsArray of strings

IDs of findings to modify.

patchOperationobject(dto.PatchFinding)
application/json
{
  "findings": [
    "string"
  ],
  "patchOperation": {
    "customSeverity": "string",
    "reviewed": true,
    "suppressed": true,
    "suppressionReason": "string"
  }
}

Responses

OK

Bodyapplication/json
messagestring
Example: "Operation succeeded"
resultany
successboolean
Example: true
Response
application/json
{
  "message": "Operation succeeded",
  "result": null,
  "success": true
}

Get a list of scan findings

Request

Get a list of findings of a scan with an ID.

Path
scanIdstringrequired

ID of the scan for which to get findings

No request payload

Responses

OK

Bodyapplication/jsonArray [
ageRatingnumber

Between 0 and 10

almIssuesobject(dto.FindingAlmIssues)
appIdstring
baselineboolean
commentsArray of objects(dto.FindingComment)
confidenceRatingnumber

Between 0 and 10

createdTimestring
dataFlowsArray of objects(dto.DataFlowSummary)
descriptionstring
hasRemediationboolean
idstring

Uniquely identifies the finding across multiple scans

isNewboolean
projectIdstring
ratingnumber

Between 0 and 10

reviewedboolean
scanIdstring

Uniquely identifies the scan this finding was loaded from

severitystring
severityRatingnumber

Between 0 and 10

sharedStepobject(dto.FindingSharedStep)
snapshotIdstring

Uniquely identifies the finding within a scan, it's equivalent to the pair of <em>id</em> and <em>scanId</em>

suppressedboolean
suppressedBystring
suppressionMessagestring

Always empty if suppressed is not set

suppressionTimestring
typeobject(dto.VulnerabilityType)
workflowViolationsArray of objects(dto.Workflow)
workflowViolationsCountinteger
]
Response
application/json
[
  {
    "ageRating": 0,
    "almIssues": {},
    "appId": "string",
    "baseline": true,
    "comments": [],
    "confidenceRating": 0,
    "createdTime": "string",
    "dataFlows": [],
    "description": "string",
    "hasRemediation": true,
    "id": "string",
    "isNew": true,
    "projectId": "string",
    "rating": 0,
    "reviewed": true,
    "scanId": "string",
    "severity": "string",
    "severityRating": 0,
    "sharedStep": {},
    "snapshotId": "string",
    "suppressed": true,
    "suppressedBy": "string",
    "suppressionMessage": "string",
    "suppressionTime": "string",
    "type": {},
    "workflowViolations": [],
    "workflowViolationsCount": 0
  }
]

Selectively update a finding

Request

Selectively update a finding.

Path
scanIdstringrequired

ID of the scan in which the finding to update exists

findingIdstringrequired

ID of the finding to update

Bodyapplication/jsonrequired

DTO with finding properties to update (unset properties will not be changed)

customSeveritystring

If set, it has to be either <em>High</em>, <em>Medium</em> or <em>Low</em>. Case insensitive, all values are converted to have the first letter uppercase and others lowercase, e.g. <em>High</em>.

reviewedboolean
suppressedboolean
suppressionReasonstring

Has to be unset or empty if <b>suppressed</b> is not set or if it's false.

application/json
{
  "customSeverity": "string",
  "reviewed": true,
  "suppressed": true,
  "suppressionReason": "string"
}

Responses

OK

Bodyapplication/json
messagestring
Example: "Operation succeeded"
resultany
successboolean
Example: true
Response
application/json
{
  "message": "Operation succeeded",
  "result": null,
  "success": true
}

Post a comment under a finding

Request

Post a comment under a finding in a scan.

Path
scanIdstringrequired

ID of the scan for which the comment is posted

findingIdstringrequired

ID of the finding in which the comment is posted

Bodyapplication/jsonrequired

Definition of the comment to post

bodystring
application/json
{
  "body": "string"
}

Responses

OK

Bodyapplication/json
messagestring
Example: "Operation succeeded"
resultany
successboolean
Example: true
Response
application/json
{
  "message": "Operation succeeded",
  "result": null,
  "success": true
}

Get a list of finding data flows

Request

Get a list of data flows of a finding in a scan.

Path
scanIdstringrequired

ID of the scan for which to get data flows

findingIdstringrequired

ID of the finding for which to get data flows

No request payload

Responses

OK

Bodyapplication/jsonArray [
ageRatingnumber

Between 0 and 10

confidenceRatingnumber

Between 0 and 10

createdTimestring
filterobject(dto.Filter)
functionCallsArray of objects(dto.CallStackItem)
idstring
inputFlowArray of objects(dto.CallStackItem)
inputKindstring
inputSourcestring
isNewboolean
ratingnumber

Between 0 and 10

sinkstring
sinkFilestring
sinkKindstring
sinkLineinteger
sinkSnippetstring
]
Response
application/json
[
  {
    "ageRating": 0,
    "confidenceRating": 0,
    "createdTime": "string",
    "filter": {},
    "functionCalls": [],
    "id": "string",
    "inputFlow": [],
    "inputKind": "string",
    "inputSource": "string",
    "isNew": true,
    "rating": 0,
    "sink": "string",
    "sinkFile": "string",
    "sinkKind": "string",
    "sinkLine": 0,
    "sinkSnippet": "string"
  }
]

Find the highest priority findings.

Request

Retrieve a list of findings prioritized by rating.

Path
scanIdstringrequired

Scan ID

Query
limitinteger

Number of findings to return. Has to be positive and can't be greater than 1000.

engineIdinteger

Narrow down the search to a single engine

No request payload

Responses

OK

Bodyapplication/jsonArray [
ageRatingnumber

Between 0 and 10

almIssuesobject(dto.FindingAlmIssues)
appIdstring
baselineboolean
commentsArray of objects(dto.FindingComment)
confidenceRatingnumber

Between 0 and 10

createdTimestring
dataFlowsArray of objects(dto.DataFlowSummary)
descriptionstring
hasRemediationboolean
idstring

Uniquely identifies the finding across multiple scans

isNewboolean
projectIdstring
ratingnumber

Between 0 and 10

reviewedboolean
scanIdstring

Uniquely identifies the scan this finding was loaded from

severitystring
severityRatingnumber

Between 0 and 10

sharedStepobject(dto.FindingSharedStep)
snapshotIdstring

Uniquely identifies the finding within a scan, it's equivalent to the pair of <em>id</em> and <em>scanId</em>

suppressedboolean
suppressedBystring
suppressionMessagestring

Always empty if suppressed is not set

suppressionTimestring
typeobject(dto.VulnerabilityType)
workflowViolationsArray of objects(dto.Workflow)
workflowViolationsCountinteger
]
Response
application/json
[
  {
    "ageRating": 0,
    "almIssues": {},
    "appId": "string",
    "baseline": true,
    "comments": [],
    "confidenceRating": 0,
    "createdTime": "string",
    "dataFlows": [],
    "description": "string",
    "hasRemediation": true,
    "id": "string",
    "isNew": true,
    "projectId": "string",
    "rating": 0,
    "reviewed": true,
    "scanId": "string",
    "severity": "string",
    "severityRating": 0,
    "sharedStep": {},
    "snapshotId": "string",
    "suppressed": true,
    "suppressedBy": "string",
    "suppressionMessage": "string",
    "suppressionTime": "string",
    "type": {},
    "workflowViolations": [],
    "workflowViolationsCount": 0
  }
]

Data flows

Operations