openapi: 3.1.0 info: title: Contrast Assess API description: "Contrast Assess API for viewing and managing data, including vulnerabilities\ \ and libraries, for your organization in Contrast via your API key. See Contrast\ \ Documentation ( https://docs.contrastsecurity.com/en/assess.html) for more information." version: 4.0.0 x-logo: url: /logo.svg href: / servers: - url: https://{baseUrl} variables: baseUrl: default: app.contrastsecurity.com description: The base URL of your Contrast instance security: - Contrast-API-Key: [] Authorization: [] tags: - name: Rules description: "A rule defines a data flow pattern used to categorize vulnerability\ \ and attack types. Some common rules are sql-injection, ssrf, and reflected-xss." - name: Vulnerabilities description: Vulnerabilities detected in runtime by Contrast Assess are weaknesses in the application code that allow an attacker to cause harm. - name: Applications description: "An application represents an executable unit of code that can be instrumented\ \ at runtime by an agent in Contrast. This can be a web app, microservice, or\ \ other runnable code and any dependencies included in its executable, packaged\ \ form." - name: Organizations description: An organization represents a grouping of user accounts in Contrast. paths: /organizations/{organizationId}: get: tags: - Organizations summary: Get organization description: Gets an organization by ID operationId: getOrganization parameters: - name: organizationId in: path required: true schema: type: string format: uuid example: 2411f46c-7f57-426e-be61-82d583722c8d responses: "401": $ref: "#/components/responses/Unauthorized401" "403": $ref: "#/components/responses/Forbidden403" "200": description: Request successful content: application/json: schema: $ref: '#/components/schemas/V4Organization' /organizations/{organizationId}/vulnerabilities: get: tags: - Vulnerabilities summary: Get vulnerabilities description: Returns all vulnerabilities from the applications your user role has access to in the organization. operationId: getVulnerabilities parameters: - name: organizationId in: path required: true schema: type: string format: uuid example: 2411f46c-7f57-426e-be61-82d583722c8d responses: "401": $ref: "#/components/responses/Unauthorized401" "403": $ref: "#/components/responses/Forbidden403" "200": description: Request successful content: application/json: schema: type: array items: $ref: '#/components/schemas/V4Vulnerability' /organizations/{organizationId}/vulnerabilities/{vulnerabilityId}: get: tags: - Vulnerabilities summary: Get vulnerability description: Gets a vulnerability by ID. operationId: getVulnerability parameters: - name: organizationId in: path required: true schema: type: string format: uuid example: 2411f46c-7f57-426e-be61-82d583722c8d - name: vulnerabilityId in: path required: true schema: type: string example: UPF2-Z0YH-O121-IWBX responses: "401": $ref: "#/components/responses/Unauthorized401" "403": $ref: "#/components/responses/Forbidden403" "404": $ref: "#/components/responses/NotFound404" "200": description: Request successful content: application/json: schema: $ref: '#/components/schemas/V4Vulnerability' /organizations/{organizationId}/rules/{ruleName}: get: tags: - Rules summary: Get rule description: Gets information about a rule by its name. operationId: getRuleByRuleName parameters: - name: organizationId in: path required: true schema: type: string format: uuid example: 2411f46c-7f57-426e-be61-82d583722c8d - name: ruleName in: path required: true schema: type: string example: cache-controls-missing responses: "401": $ref: "#/components/responses/Unauthorized401" "403": $ref: "#/components/responses/Forbidden403" "404": $ref: "#/components/responses/NotFound404" "200": description: Request successful content: application/json: schema: $ref: '#/components/schemas/V4Rule' /organizations/{organizationId}/applications: get: tags: - Applications summary: Get applications description: Gets a list of all applications that you have access to. operationId: getApplications parameters: - name: organizationId in: path required: true schema: type: string format: uuid example: 2411f46c-7f57-426e-be61-82d583722c8d - name: page in: query description: Zero-based page index (0..N) schema: type: integer default: 0 - name: size in: query description: The size of the page to be returned schema: type: integer default: 10 responses: "401": $ref: "#/components/responses/Unauthorized401" "403": $ref: "#/components/responses/Forbidden403" "200": description: Request successful content: application/json: schema: $ref: '#/components/schemas/PageV4Application' /organizations/{organizationId}/applications/{applicationId}: get: tags: - Applications summary: Get application description: Gets an application by ID operationId: getApplication parameters: - name: organizationId in: path required: true schema: type: string format: uuid example: 2411f46c-7f57-426e-be61-82d583722c8d - name: applicationId in: path required: true schema: type: string format: uuid example: 2411f46c-7f57-426e-be61-82d583722c8d responses: "401": $ref: "#/components/responses/Unauthorized401" "403": $ref: "#/components/responses/Forbidden403" "200": description: Request successful content: application/json: schema: $ref: '#/components/schemas/V4Application' /organizations/{organizationId}/applications/{applicationId}/vulnerabilities: get: tags: - Vulnerabilities summary: Get application vulnerabilities description: Returns all vulnerabilities for an application. operationId: getVulnerabilitiesForApplication parameters: - name: organizationId in: path required: true schema: type: string format: uuid example: 2411f46c-7f57-426e-be61-82d583722c8d - name: applicationId in: path required: true schema: type: string format: uuid example: 2411f46c-7f57-426e-be61-82d583722c8d responses: "401": $ref: "#/components/responses/Unauthorized401" "403": $ref: "#/components/responses/Forbidden403" "200": description: Request successful content: application/json: schema: type: array items: $ref: '#/components/schemas/V4Vulnerability' /organizations/{organizationId}/applications/{applicationId}/vulnerabilities/{vulnerabilityId}: get: tags: - Vulnerabilities summary: Get application vulnerability description: Gets a specific vulnerability in an application. operationId: getVulnerabilityForApplication parameters: - name: organizationId in: path required: true schema: type: string format: uuid example: 2411f46c-7f57-426e-be61-82d583722c8d - name: applicationId in: path required: true schema: type: string format: uuid example: 2411f46c-7f57-426e-be61-82d583722c8d - name: vulnerabilityId in: path required: true schema: type: string example: UPF2-Z0YH-O121-IWBX responses: "401": $ref: "#/components/responses/Unauthorized401" "403": $ref: "#/components/responses/Forbidden403" "200": description: Request successful content: application/json: schema: $ref: '#/components/schemas/V4Vulnerability' components: schemas: V4Organization: type: object properties: id: type: string description: Organization ID in Contrast web interface. Located under User menu > User Settings > Profile. format: uuid example: c3dfe47c-f859-4fcf-ae90-4cbe564c1e23 name: type: string description: Organization name. timezone: type: string description: Organization's time zone. example: EST dateFormat: type: string description: Organization's date format. example: MM/dd/yyyy timeFormat: type: string description: Organization's time format. example: hh:mm locale: type: string description: Organization's locale. example: en createdTime: type: string description: The time this Organization was first created. format: date-time description: An organization represents your customer account in the Contrast Platform. V4Vulnerability: type: object properties: id: type: string description: Vulnerability ID applicationId: type: string description: Application ID. format: uuid title: type: string description: The display title of this vulnerability as shown in the Contrast web interface. This description is auto-generated and is guaranteed to be unique for each vulnerability in an application. severity: type: string description: "The level of severity of this vulnerability. The severity\ \ is auto-assigned based on the violated rule when the vulnerability is\ \ first created. However, it can be changed from within the Contrast web\ \ interface." enum: - CRITICAL - HIGH - MEDIUM - LOW - NOTE ruleName: type: string description: The name of the rule that detected this vulnerability. tags: type: array description: Tags associated with the vulnerability. items: type: string firstSeenTime: type: string description: The first time this vulnerability was seen. format: date-time lastSeenTime: type: string description: The last time this vulnerability was seen. format: date-time closedTime: type: string description: The time this vulnerability was marked as remediated. format: date-time status: type: string description: The current status assigned to this vulnerability. enum: - REPORTED - SUSPICIOUS - CONFIRMED - NOT_A_PROBLEM - FIXED - REMEDIATED - AUTO_REMEDIATED substatus: type: string description: The substatus of the vulnerability. enum: - EMPTY - FALSE_POSITIVE - SECURITY_CONTROL - EXTERNAL_CONTROL - TRUSTED - OTHER category: type: string description: Vulnerability category. enum: - ACCESS_CONTROL - AUTHENTICATION - CONFIGURATION - AVAILABILITY - CACHING - CVE - CRYPTOGRAPHY - ERROR_HANDLING - INJECTION - SECURE_COMMUNICATION - SESSION_MANAGEMENT - INPUT_VALIDATION - XSS defaultSeverity: type: string description: The original severity of this vulnerability. You can change the severity of the vulnerability. This indicates the original value was assigned based on the rule and your organization's settings. enum: - CRITICAL - HIGH - MEDIUM - LOW - NOTE confidence: type: string description: The level of confidence that this is a true positive result. enum: - LOW - MEDIUM - HIGH likelihood: type: string description: Likelihood of this vulnerability to actually be exploited. enum: - LOW - MEDIUM - HIGH impact: type: string description: The level of negative impact an exploit of this vulnerability would have. enum: - LOW - MEDIUM - HIGH programmingLanguage: type: string description: Programming language with a detected vulnerability. enum: - JAVA - DOTNET - NODE - RUBY - PROXY - PYTHON - DOTNET_CORE - GO - PHP description: "A vulnerability represents a weakness in the application code\ \ that allows an attacker to cause harm. In the Contrast Platform, the term\ \ vulnerability specifically refers to an instance of a weakness in an application\ \ found by the Contrast Asses Agent at runtime." V4Rule: type: object properties: name: type: string description: Unique name identifying this rule. title: type: string description: Human-readable title of this rule. description: type: string description: Description of the vulnerability type the rule is checking for. category: type: string description: Rule category. Rules are grouped into categories that have similar characteristics. enum: - ACCESS_CONTROL - AUTHENTICATION - CONFIGURATION - AVAILABILITY - CACHING - CVE - CRYPTOGRAPHY - ERROR_HANDLING - INJECTION - SECURE_COMMUNICATION - SESSION_MANAGEMENT - INPUT_VALIDATION - XSS severity: type: string description: Default severity to assign for vulnerabilities violating the rule. This can be customized by your organization. enum: - CRITICAL - HIGH - MEDIUM - LOW - NOTE confidence: type: string description: Level of confidence that vulnerabilities detected by this rule are true positives. enum: - LOW - MEDIUM - HIGH likelihood: type: string description: Likelihood of vulnerabilities detected by this rule to actually be exploited. enum: - LOW - MEDIUM - HIGH impact: type: string description: The level of negative impact an exploit of this vulnerability would have. enum: - LOW - MEDIUM - HIGH cweUrl: type: string description: Link to information about the CWE this rule addresses. owaspUrl: type: string description: "Link to OWASP information about the vulnerability this rule\ \ addresses. QUESTION--Should these two be named Url, Uri or Link?" description: "A rule defines a data flow pattern used to categorize vulnerability\ \ and attack types. Some common rules are sql-injection, ssrf, and reflected-xss." PageV4Application: type: object properties: totalElements: description: The toal number of Elements. type: integer format: int64 totalPages: description: The toal number of Pages. type: integer format: int32 first: description: Whether the current Page is the first one. type: boolean last: description: Whether the current Page is the last one. type: boolean size: description: The size of the Page. type: integer format: int32 content: type: array items: $ref: '#/components/schemas/V4Application' number: description: The number of the current Page. Is always non-negative. type: integer format: int32 sort: $ref: '#/components/schemas/SortObject' pageable: $ref: '#/components/schemas/PageableObject' numberOfElements: description: The number of elements currently on this Page. type: integer format: int32 empty: description: Whether the current Page is empty. type: boolean PageableObject: type: object properties: offset: description: The offset to be taken according to the underlying page and page size. type: integer format: int64 sort: description: The sorting parameters. $ref: '#/components/schemas/SortObject' paged: description: True if this response is paginated. type: boolean unpaged: description: True if this response is not paginated. type: boolean pageSize: description: The number of items per page. type: integer format: int32 pageNumber: description: The current page number. type: integer format: int32 SortObject: type: object properties: empty: description: True if the request had no sort parameters defined. type: boolean unsorted: description: True if this response is not sorted. type: boolean sorted: description: True if this response is sorted. type: boolean V4Application: type: object properties: id: type: string description: Application ID. format: uuid name: type: string description: "Application name. For applications created in Assess or Protect,\ \ the agent assigns the name." displayName: type: string description: Name that appears in Contrast when displaying this application. Overrides the name field if present. path: type: string description: The root path this application is hosted on in the web server. This is discovered by the Assess or Protect agent. language: type: string description: The application's programming language. enum: - JAVA - DOTNET - NODE - RUBY - PROXY - PYTHON - DOTNET_CORE - GO - PHP importance: type: string description: Level of importance of this application in the organization. Applications with a higher level of importance are more scrutinized for security issues. enum: - UNIMPORTANT - LOW - MEDIUM - HIGH - CRITICAL isArchived: type: boolean description: Archived application technologies: type: array description: Technologies associated with this application. items: type: string tags: type: array description: Application tags. Tags are labels that can be assigned to applications to help organize applications and improve search functionality. These can be configured in the agent's configuration file or via the Contrast web interface. items: type: string metadata: type: array description: Metadata assigned to this application. This is a set of key-value pairs that are defined either in the agent's configuration file or in the Contrast web interface. Metadata fields are predefined at the Organization level and strongly typed. items: type: object additionalProperties: type: string firstSeenTime: type: string description: "The first time this application was observed by an agent,\ \ or the time this application was manually created (if not created by\ \ an agent)." format: date-time lastSeenTime: type: string description: The most recent time an Assess or Protect agent observed activity for this application or it was scanned by SCA. format: date-time description: Represents a single executable component that can be instrumented or otherwise assessed for security vulnerabilities. securitySchemes: Contrast-API-Key: type: apiKey in: header name: API-Key Authorization: type: apiKey in: header name: Authorization responses: Unauthorized401: description: Unauthorized content: application/json: examples: Unauthorized: description: Unauthorized value: message: Authorization failure details: [ ] Forbidden403: description: Forbidden content: application/json: examples: Forbidden: description: Forbidden value: message: Authorization failure details: [ ] NotFound404: description: Resource not found content: application/json: examples: Resource not found: description: Resource not found value: message: - Entity not found details: [ ]