API Tutorial: How to Use the Mitigation Calls


This tutorial provides basic information on some of the tasks the Mitigation and Comments API can do. This guide uses standalone HTTP request calls, but you can combine them in an API wrapper to process multiple API calls.

Note: Before starting with the APIs, ensure you have the correct permissions to use the APIs. Your Veracode user account must have sufficient permissions to access and use the APIs.
  1. To mark a flaw found in scan results as a false positive, from the command line, enter: curl --compressed -u <VeracodeUsername> https://analysiscenter.veracode.com/api/updatemitigationinfo.do -F "build_id=<your build ID> -F "action=fp" -F "comment=<your comment text>" -F "flaw_id_list=<your flaw IDs>".

    Where required, enter the build ID, which you can get from the buildlist.xml returned by the getbuildlist.do call. Also, enter the flaw IDs (comma-separated), which you find in the Triage Flaws page for that application in the Veracode Platform. You can also find the flaw IDs in the detailedreport.xml file.

    To create a list of builds of your chosen application, enter: curl --compressed -u <VeracodeUsername>:<VeracodePassword> https://analysiscenter.veracode.com/api/4.0/getbuildlist.do -F "app_id=<your app ID>". Enter your application ID from the returned applist.xml from the previous step. The returned buildlist.xml from this step contains the IDs of the builds for the application, such as: "<buildlist> <build build_id="49894" version="5.0"/> </buildlist>".

  2. To accept a flaw found in scan results, enter: curl --compressed -u <VeracodeUsername> https://analysiscenter.veracode.com/api/updatemitigationinfo.do -F "build_id=<your build ID>" -F "action=accepted" -F "comment=<your comment text>" -F "flaw_id_list=<your flaw IDs>".

    Where required, enter the build ID and the flaw IDs (comma-separated).