API Tutorial: How to Use the Mitigation Calls

Veracode APIs

This tutorial provides basic information on some of the tasks the Mitigation and Comments API can do. This guide uses standalone HTTP request calls, but you can combine them in an API wrapper to process multiple API calls.

Note: Before you can access and use the APIs, your Veracode user account must have the required permissions.
  1. To mark a flaw found in scan results as a false positive, from the command line, enter:
    http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/updatemitigationinfo.do" "build_id==<your build ID>" "action==fp" "comment==<your comment text>" "flaw_id_list==<your flaw IDs>

    Where required, enter the build ID, which you can get from the buildlist.xml returned by the getbuildlist.do call. Also, enter a comma-separated list of flaw IDs, which you find in the Triage Flaws page for that application in the Veracode Platform. You can also find the flaw IDs in the detailedreport.xml file.

    To create a list of builds of your chosen application, enter:
    http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/getbuildlist.do" "app_id==<your application ID>"
    Enter your application ID from the returned applist.xml from the previous step. The returned buildlist.xml from this step contains the IDs of the builds for the application, such as:
          <build build_id="49894" version="5.0"/>
  2. To accept a flaw found in scan results, enter:
    http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/updatemitigationinfo.do" "build_id==<your build id>" "action==accepted" "comment==<your comment text>" "flaw_id_list==<your flaw IDs>"

    Where required, enter the build ID and a comma-separated list of flaw IDs.