Proposing a Mitigation with the Annotations API

Veracode APIs

This use case scenario provides the Annotations REST API command and payload for proposing a mitigation against one or more findings for an application.

You can use the Applications API to get the GUID for an application.

Use this command to propose a mitigation, based on an environmental control in the network, with a comment, for an application with two findings:
http --auth-type=veracode_hmac POST "https://api.veracode.com/appsec/v2/applications/{application_guid}/annotations" < input.json
The API passes the JSON file that you populate with the necessary values as shown in this example:
{
  "issue_list": "1,2",
  "comment": "This is my comment",
  "action": "NET_ENV"
}
Table. JSON Properties
Name Type Description
issue_list

Required

String Comma-separated list of finding (flaw) IDs. You can use the Findings API to get a list of finding IDs for an application.
comment

Required

String Enter a brief comment about the findings for issue_list.
action

Required

String Enter one of these mitigation actions:
  • APP_BY_DESIGN states that custom business logic within the body of the application has addressed the finding. An automated process may not be able to fully identify this business logic.
  • NET_ENV states that the network in which the application is running has provided an environmental control that has addressed the finding.
  • OS_ENV states that the operating system on which the application is running has provided an environmental control that has addressed the finding.
  • POTENTIAL_FALSE_POSITIVE states that Veracode has incorrectly identified a finding in your application. If you identify a finding as a potential false positive, Veracode does not exclude the potential false positive from your published report. Your organization can approve a potential false positive to exclude it from the published report. If your organization approves a finding as a false positive, your organization is accepting the risk that the finding might be valid.
  • LIBRARY states that the current team does not maintain the library containing the finding. You referred the vulnerability to the library maintainer.
  • ACCEPT_RISK states that your business is willing to accept the risk associated with a finding. Your organization evaluated the potential risk and effort required to address the finding.