The detailedreport.do call returns a detailed XML report of all scan results related to the specified build.
For performance reasons, this API automatically compresses the XML output, regardless of file size, in Gzip format. When accessing this API in production, Veracode strongly recommends that you use a user agent, such as HTTPie, which is the default, that supports Gzip. To test this API, you can use any tool that supports HTTP.
Resource URL
https://analysiscenter.veracode.com/api/5.0/detailedreport.do
Parameters
Name | Type | Description |
---|---|---|
build_id Required |
Integer | Application or sandbox build ID. |
HTTPie Example
Examples use the HTTPie command-line tool. See Using HTTPie with the Python Authentication Library.
http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/detailedreport.do" "build_id==<build id>"
HTTPie Results
The detailedreport.do call returns the detailedreport XML document, which references the detailedreport.xsd schema file. You can use the XSD schema file to validate the XML data. See the detailedreport.xsd schema documentation.
A partial XML example. Veracode has deprecated assurance level and replaced it with business criticality.
<?xml version='1.0' encoding='UTF-8'?> <detailedreport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="https://www.veracode.com/schema/reports/export/1.0" xsi:schemaLocation="https://www.veracode.com/schema/reports/export/1.0 https://analysiscenter.veracode.com/resource/detailedreport.xsd" report_format_version="1.5" account_id="<account id>" app_name="<app name>" app_id="<app id>" analysis_id="4705951" static_analysis_unit_id="4721671" sandbox_id="<sandbox id>" first_build_submitted_date="2019-08-13 17:57:41 UTC" version="13 Aug 2019 Static" build_id="4722565" submitter="Veracode" platform="Not Specified" assurance_level="5" business_criticality="5" generation_date="2019-09-03 19:54:36 UTC" veracode_level="VL1" total_flaws="22" flaws_not_mitigated="22" teams="Demo Team" life_cycle_stage="Not Specified" planned_deployment_date="" last_update_time="2019-08-13 18:08:47 UTC" is_latest_build="true" policy_name="Veracode Transitional Very High" policy_version="1" policy_compliance_status="Did Not Pass" policy_rules_status="Did Not Pass" grace_period_expired="true" scan_overdue="false" business_owner="" business_unit="Not Specified" tags="" legacy_scan_engine="false"> <static-analysis rating="D" score="82" submitted_date="2019-08-13 17:57:39 UTC" published_date="2019-08-13 18:08:35 UTC" version="13 Aug 2019 Static" analysis_size_bytes="16157840" engine_version="20190805180615"> <modules> <module name="httpd" compiler="GCC_Linux_IA32_3_4_6" os="Red Hat Enterprise Linux v4 (IA32)" architecture="IA32" loc="66813" score="82" numflawssev0="0" numflawssev1="0" numflawssev2="6" numflawssev3="13" numflawssev4="0" numflawssev5="3" /> </modules> </static-analysis> <severity level="5"> <category categoryid="3" categoryname="Buffer Overflow" pcirelated="false"> <desc><para text="Buffer overflows (or buffer overruns) occur when a program attempts to put more data in a buffer than it has been allocated to hold. Writing to areas of memory not intended by the application developer can lead to serious security vulnerabilities and can cause an application to execute arbitrary code on behalf of an attacker." /><para text="The degree of exploitability of buffer overflows varies depending on a number of factors, including buffer location, execution path, and platform. Often, the resultant behavior is limited to corrupting data or crashing the application. However, in many cases, specially crafted attacks can be constructed that will execute arbitrary code with the privileges of the vulnerable application. " /> </desc> <recommendations><para text="There are a number of mitigations that can be applied during both design and implementation to prevent buffer overflows from occurring. Using multiple techniques provides defense-in-depth. "> <bulletitem text="Always use bounded rather than unbounded string manipulation functions, e.g. strncpy() and strncat() instead of strcpy() and strcat()." /> <bulletitem text="When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not null-terminate the string." /> <bulletitem text="Be careful when working with multi-byte strings, as the number of logical characters in a string is not equivalent to the number of bytes allocated in memory." /><bulletitem text="Use a safe string handling functions such as Microsoft's strsafe.h. These functions prevent data from being written past the end of buffers and guarantees null termination. Alternatively, use a string abstraction library such as SafeStr, which automatically resizes strings as required. While neither of these approaches is foolproof, they will prevent many common mistakes." /></para> </recommendations> ...
API Wrapper Examples
Java example:
java -jar VeracodeJavaAPI.jar -vid <Veracode API ID> -vkey <Veracode API Key> -action detailedreport -buildid <build id> -outputfilepath c:\javawrappers\detailedreport.xml
C# example:
VeracodeC#API -vid <Veracode API ID> -vkey <Veracode API key> -action detailedreport -buildid <build id> -outputfilepath c:\csharpwrappers\detailedreport.xml
API Wrapper Results
The detailedreport.do call returns the detailedreport XML document, which references the detailedreport.xsd schema file. You can use the XSD schema file to validate the XML data. See the detailedreport.xsd schema documentation.
A partial XML example. Veracode has deprecated assurance level and replaced it with business criticality.
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <detailedreport xmlns="https://www.veracode.com/schema/reports/export/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="<account id>" analysis_id="4705951" app_id="<app id>" app_name="Apache" assurance_level="5" build_id="<build id>" business_criticality="5" business_owner="" business_unit="Not Specified" first_build_submitted_date="2019-08-13 17:57:41 UTC" flaws_not_mitigated="22" generation_date="2019-10-09 21:31:49 UTC" grace_period_expired="true" is_latest_build="true" last_update_time="2019-08-13 18:08:47 UTC" legacy_scan_engine="false" life_cycle_stage="Not Specified" planned_deployment_date="" platform="Not Specified" policy_compliance_status="Did Not Pass" policy_name="Veracode Transitional Very High" policy_rules_status="Did Not Pass" policy_version="1" report_format_version="1.5" sandbox_id="1358509" scan_overdue="false" static_analysis_unit_id="4721671" submitter="Veracode" tags="" teams="Demo Team" total_flaws="22" veracode_level="VL1" version="13 Aug 2019 Static" xsi:schemaLocation="https://www.veracode.com/schema/reports/export/1.0 https://analysiscenter.veracode.com/resource/detailedreport.xsd"> <static-analysis analysis_size_bytes="16157840" engine_version="20190805180615" published_date="2019-08-13 18:08:35 UTC" rating="D" score="82" submitted_date="2019-08-13 17:57:39 UTC" version="13 Aug 2019 Static"> <modules> <module architecture="IA32" compiler="GCC_Linux_IA32_3_4_6" loc="66813" name="httpd" numflawssev0="0" numflawssev1="0" numflawssev2="6" numflawssev3="13" numflawssev4="0" numflawssev5="3" os="Red Hat Enterprise Linux v4 (IA32)" score="82"/> </modules> </static-analysis> <severity level="5"> <category categoryid="3" categoryname="Buffer Overflow" pcirelated="false"> <desc> <para text="Buffer overflows (or buffer overruns) occur when a program attempts to put more data in a buffer than it has been allocated to hold. Writing to areas of memory not intended by the application developer can lead to serious security vulnerabilities and can cause an application to execute arbitrary code on behalf of an attacker."/> <para text="The degree of exploitability of buffer overflows varies depending on a number of factors, including buffer location, execution path, and platform. Often, the resultant behavior is limited to corrupting data or crashing the application. However, in many cases, specially crafted attacks can be constructed that will execute arbitrary code with the privileges of the vulnerable application. "/> </desc> <recommendations> <para text="There are a number of mitigations that can be applied during both design and implementation to prevent buffer overflows from occurring. Using multiple techniques provides defense-in-depth. "> <bulletitem text="Always use bounded rather than unbounded string manipulation functions, e.g. strncpy() and strncat() instead of strcpy() and strcat()."/> <bulletitem text="When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not null-terminate the string."/> <bulletitem text="Be careful when working with multi-byte strings, as the number of logical characters in a string is not equivalent to the number of bytes allocated in memory."/> <bulletitem text="Use a safe string handling functions such as Microsoft's strsafe.h. These functions prevent data from being written past the end of buffers and guarantees null termination. Alternatively, use a string abstraction library such as SafeStr, which automatically resizes strings as required. While neither of these approaches is foolproof, they will prevent many common mistakes."/> </para> </recommendations>