The getdynamicflaws.do call returns information on a specific flaw.
Before
using this API, Veracode strongly recommends that you read API Usage and Access
Guidelines.
For the REST version of this API, see Using the Findings REST API.
Resource URL
https://analysiscenter.veracode.com/api/5.0/getdynamicflaws.do
Permissions
You need the Results API role to use this call.
Parameters
Name | Type | Description |
---|---|---|
build_id Required |
Integer | Application or sandbox build ID. |
flaw_id Required |
Integer | Find flaw IDs on the Triage Flaws page in the Veracode Platform or in the issueid fields returned by the Detailed Report API. |
To locate the parameters for getdynamicflaws.do:
- Call getapplist.do to locate the app_id for your application.
- Call getbuildlist.do with the app_id to locate the current build_id for your application.
- Call detailedreport.do with the build_id to locate a flaw_id.
- In the XML code of the detailed report, find the report section for the target flaw and then find the issueid element in that section. The issueid is the flaw_id.
HTTPie Example
Examples use the HTTPie command-line tool. See Using HTTPie with the Python Authentication Library.
http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/getdynamicflaws.do" "build_id==<build id>" "flaw_id==2"
HTTPie Results
The getdynamicflaws.do call returns the dynamicfinding XML document, which references the dynamicfinding.xsd schema file. You can use the XSD schema file to validate the XML data. See the dynamicfinding.xsd schema documentation.
<?xml version="1.0" encoding="UTF-8"?> <dynamicfinding xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="https://analysiscenter.veracode.com/schema/4.0/dynamicfinding" xsi:schemaLocation="https://analysiscenter.veracode.com/schema/4.0/dynamicfinding https://analysiscenter.veracode.com/resource/4.0/dynamicscaninfo.xsd" app_id="<app id>" build_id="<build id>" flaw_id="2" engine_version="" cwe_id="402" description="The security cookie does not have the "HttpOnly" attribute set. Using this attribute helps to prevent client-side Javascript from accessing the cookie, thereby mitigating one of the most common XSS exploit scenarios.
" remediation="Unless the application requires that cookies be accessible to Javascript code, set the "HttpOnly" attribute when generating cookies.
" parameter_type="" parameter_name="" parameter="Set-Cookie security HTTP response header" original_arg="" raw_response="HTTP/1.1 302 Found
Date: Tue, 01 Oct 2019 20:46:15 GMT
Server: Apache
Set-Cookie: PHPSESSID=3696on897sncfp18jb800jnvfl; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=3696on897sncfp18jb800jnvfl; path=/
Set-Cookie: security=low
Location: login.php
Keep-Alive: timeout=65, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 0

" injected_arg="" referer_url=""> <request host="www.example.com" port="80" secure="false" raw_request="GET / HTTP/1.1
Host: www.example.com#xd;
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0/Veracode Security Scan/support@veracode.com
Accept: */*
Connection: keep-alive
Accept-Encoding: identity
Accept-Language: en-us,en;q=0.5
Content-Length: 0

" method="GET" protocol="HTTP" url="http://dvwa.sa.veracode.io/" path="/" uri="/" body=""> <header name="Host" value="www.example.com"/> <header name="User-Agent" value="Mozilla/5.0 (Windows NT 5.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0/Veracode Security Scan/support@veracode.com"/> <header name="Accept" value="*/*"/> <header name="Connection" value="keep-alive"/> <header name="Accept-Encoding" value="identity"/> <header name="Accept-Language" value="en-us,en;q=0.5"/> <header name="Content-Length" value="0"/> </request> </dynamicfinding>