The getdynamicflaws.do call returns information on a specific flaw.
Before
using this API, Veracode strongly recommends that you read API Usage and Access
Guidelines.
REST API Equivalent
The REST API equivalent of this call is a GET to /appsec/v2/applications/<guid>/findings/<id>/dynamic_flaw_info. Veracode strongly recommends that you use the REST API for this action. For new integrations, always use the REST APIs.
Resource URL
https://analysiscenter.veracode.com/api/5.0/getdynamicflaws.do
Permissions
You need the Results API role to use this call.
Parameters
| Name | Type | Description |
|---|---|---|
| build_id Required |
Integer | Application or sandbox build ID. |
| flaw_id Required |
Integer | Find flaw IDs on the Triage Flaws page in the Veracode Platform or in the issueid fields returned by the Detailed Report API. |
To locate the parameters for getdynamicflaws.do:
- Call getapplist.do to locate the app_id for your application.
- Call getbuildlist.do with the app_id to locate the current build_id for your application.
- Call detailedreport.do with the build_id to locate a flaw_id.
- In the XML code of the detailed report, find the report section for the target flaw and then find the issueid element in that section. The issueid is the flaw_id.
HTTPie Example
Examples use the HTTPie command-line tool. See Using HTTPie with the Python Authentication Library.
http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/getdynamicflaws.do" "build_id==<build id>" "flaw_id==2"
HTTPie Results
The getdynamicflaws.do call returns the dynamicfinding XML document, which references the dynamicfinding.xsd schema file. You can use the XSD schema file to validate the XML data.
<?xml version="1.0" encoding="UTF-8"?>
<dynamicfinding xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="https://analysiscenter.veracode.com/schema/4.0/dynamicfinding"
xsi:schemaLocation="https://analysiscenter.veracode.com/schema/4.0/dynamicfinding
https://analysiscenter.veracode.com/resource/4.0/dynamicscaninfo.xsd"
app_id="<app id>" build_id="<build id>" flaw_id="2" engine_version="" cwe_id="402"
description="The security cookie does not have the "HttpOnly" attribute set. Using this attribute helps
to prevent client-side Javascript from accessing the cookie, thereby mitigating one of the most common XSS exploit
scenarios.
" remediation="Unless the application requires that cookies be accessible to Javascript code, set
the "HttpOnly" attribute when generating cookies.
"
parameter_type=""
parameter_name=""
parameter="Set-Cookie security HTTP response header"
original_arg=""
raw_response="HTTP/1.1 302 Found
Date: Tue, 01 Oct 2019 20:46:15 GMT
Server:
Apache
Set-Cookie: PHPSESSID=3696on897sncfp18jb800jnvfl; path=/
Expires:
Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma:
no-cache
Set-Cookie: PHPSESSID=3696on897sncfp18jb800jnvfl; path=/
Set-Cookie:
security=low
Location: login.php
Keep-Alive: timeout=65, max=100
Connection:
Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 0

"
injected_arg="" referer_url="">
<request host="www.example.com" port="80" secure="false" raw_request="GET / HTTP/1.1
Host:
www.example.com#xd;
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:21.0)
Gecko/20100101 Firefox/21.0/Veracode Security Scan/support@veracode.com
Accept:
*/*
Connection: keep-alive
Accept-Encoding: identity
Accept-Language:
en-us,en;q=0.5
Content-Length: 0

" method="GET" protocol="HTTP"
url="http://dvwa.sa.veracode.io/" path="/" uri="/" body="">
<header name="Host" value="www.example.com"/>
<header name="User-Agent" value="Mozilla/5.0 (Windows NT 5.2; WOW64; rv:21.0) Gecko/20100101
Firefox/21.0/Veracode Security Scan/support@veracode.com"/>
<header name="Accept" value="*/*"/>
<header name="Connection" value="keep-alive"/>
<header name="Accept-Encoding" value="identity"/>
<header name="Accept-Language" value="en-us,en;q=0.5"/>
<header name="Content-Length" value="0"/>
</request>
</dynamicfinding>