Findings API Use Case Scenarios

Veracode APIs

These use case scenarios demonstrate how to perform several functions with the Veracode Findings REST API.

Each of these examples require the GUID of a target Veracode application. You can use the Applications API to get the GUID for an application.
You can combine queries in your commands using &. For example:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<application-guid>/findings?cwe=80&scan_type=STATIC"

Get Findings by CWE ID

To identify each finding of a specific CWE in an application, run this command:

http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<application-guid>/findings?cwe=80"

Get Findings by Scan Type

To identify each finding of a specific scan type in an application, run this command:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<application-guid>/findings?scan_type=STATIC"

The valid scan_type values are STATIC, DYNAMIC, MANUAL, and SCA. If you do not include SCA in this command, the Findings API excludes Software Composition Analysis findings.

Get Findings for a Sandbox

To identify each finding for a specific sandbox in an application, run this command:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<application-guid>/findings?context=<sandbox-guid>"

Get Findings by Severity

To identify each finding of a specific severity in an application, run this command:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<application-guid>/findings?severity=3"

The valid severity values are the numbers 0-5.

Get Findings of a Specific Severity or Higher

To identify each finding higher than or equal to a specific severity in an application, run this command:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<application-guid>/findings?severity_gte=3"

The valid severity_gte values are the numbers 0-5.

Get Findings and Include Annotations

To identify each finding in an application and return the annotations, including mitigation details and comments, run this command:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<application-guid>/findings?include_annot=TRUE"

This command adds an annotations node containing the annotation information to the response.

Get Findings that Violate Policy

To identify each finding in an application that does not pass policy, run this command:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<application-guid>/findings?violates_policy=TRUE"

Get Findings by Category

To identify each finding of a specific category in an application, run this command:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<application-guid>/findings?finding_category=20"

Use the numeric ID value for finding_category, as shown in the API output results as finding..finding_category.id.

Get New Findings from Latest Scan

To identify each new finding in the most recent scan of an application, run this command:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<application-guid>/findings?new=true"

Get SCA Findings of a Severity Higher than the Allowed CVSS Score

To identify each Software Composition Analysis (SCA) finding in an application with a severity higher than the CVSS score allowed in the policy, run this command:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<application-guid>/findings?scan_type=SCA&cvss_gte=6"

Get MPT Findings of a Severity Higher than the Allowed CVSS Score

You can use the Applications API to get the GUID for an application. You can use the Findings API to get the issue ID for a finding.

This endpoint uses the Manual Testing API specification.

To identify each Manual Penetration Testing (MPT) finding in an application with a severity higher than the CVSS score allowed in the policy, run this command:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<application-guid>/findings?scan_type=MANUAL&cvss_gte=6"

Get Details About a Dynamic Analysis Flaw

You can use the Findings API to get the issue ID for a finding.

This endpoint uses the Dynamic Flaw API specification.

Use this command to view details for a specific dynamic flaw:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<Veracode application GUID>/findings/<finding ID>/dynamic_flaw_info"

Get Details About a Static Finding

You can use the Applications API to get the GUID for an application or development sandbox. You can use the Findings API to get the issue ID for a finding.

This endpoint uses the Static Finding Data Path API specification.

Use this command to view the data paths for a static finding:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<Veracode application GUID>/findings/<finding ID>/static_flaw_info"
Use this command to view the data paths for a static finding from a sandbox scan:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v2/applications/<Veracode application GUID>/findings/<finding ID>/static_flaw_info?context=<sandbox GUID>”